cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

SOLVED
Highlighted
Conversationalist

Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

The description of the CVE says that you have to establish a connection to a device to exploit this. The MX simply routing traffic through it would not be affected. 

View solution in original post

3 REPLIES 3
Highlighted
Kind of a big deal

Re: Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

Interesting... I'll obviously defer to Meraki to answer this, but thinking out loud, and assuming I understand the description of the problem, you would first need to establish a TCP connection to a device before you could trigger it. I haven't port scanned a Meraki device for a while, but IIRC your only option here would be the local status page. Turning that off should mitigate this, unless there's other open TCP ports...

Highlighted
Conversationalist

Re: Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

Thanks @jdsilva!

 

Since HTTP runs over TCP, and our MX250 routes traffic from the public Internet, it would be reassuring if Meraki would confirm we can't be DOS'd with TCP SACK. 🙂

Highlighted
Kind of a big deal

Re: Are Meraki devices vulnerable to the TCP SACK Kernel Panic DOS?

The description of the CVE says that you have to establish a connection to a device to exploit this. The MX simply routing traffic through it would not be affected. 

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.