CVE-2022-20685

NassFrank
New here

CVE-2022-20685

Hi All

 

Please can you tell me if the planned upgrade we have to MR 28.6 will remediate published vulnerability CVE-2022-20685, which impacts MX84 and MX100 Meraki devices?

 

Kind Regards

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Hi,

 

I believe not, check the notes:

 

Meraki APs use UDP port 7351 for cloud communication and TCP ports 80 and 443 for backup communications when running MR 27 and older firmware. When running MR 28 firmware, Meraki APs will now use TCP port 443 as the primary means for cloud connectivity. In order to maintain connectivity to the Meraki cloud on MR 28+ ensure that TCP port 443 is allowed to communicate with 209.206.48.0/20 on firewalls that are deployed upstream of your Meraki APs. (Wi-Fi 6 MRs)

 

There is no impact on MX devices.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NassFrank
New here

Hi - thanks for your reply.  However, the Cisco Security Advisory for the CVE in question states as follows:

 

Meraki MX Software

Cisco Meraki MX Software Release First Fixed Release
MX14Migrate to a fixed release.
MX15Migrate to a fixed release.
MX16
Hotfix planned for mid-February 2022.1
Release planned for March 2022.2
1. The hotfix is planned for the MX67, MX68, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX400, MX450, and MX600 platforms.
2. The release is planned for the MX64 and MX65 platforms.
 
This would suggest that 'MX' models are impacted by this vulnerability.  Happy to stand corrected if I have misread this in any way at all. 
 
Kind Regards
 
alemabrahao
Kind of a big deal
Kind of a big deal

Hi,

 

I understand, but MR 28.6 is about Access points not about MX devices.

 

Take a look at MX 15.44.1 release notes.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NassFrank
New here

Okay, thanks for pointing that out.  So, would you happen to know how I can find out if the planned hotfix Cisco had for Feb 2022 for the MX devices is available, or any way to check on the devices themselves to see if the hotfix has been applied?

 

Kind Regards

alemabrahao
Kind of a big deal
Kind of a big deal

well, I checked the firmware available in Organization > Monitor > Firmware upgrades, and I didn't find any information related to CVE-2022-20685. Maybe you can open a ticket to check with the support team.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NassFrank
New here

okay thank you, I have opened a ticket with Cisco TAC, but wanted to check here on the forums too.

 

Appreciate your replies. 

ww
Kind of a big deal
Kind of a big deal

Let us know 🙂

Brash
Kind of a big deal
Kind of a big deal

Just to round out this thread, only Meraki MX devices have been listed as impacted in Cisco's PSIRT.

The fixed release for the MX is 16.16

Multiple Cisco Products Snort Modbus Denial of Service Vulnerability

RaphaelL
Kind of a big deal
Kind of a big deal

Is it confirmed that only MX16.16 contains the fix ? Not 15.44.3 or anything else 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels