Meraki

Community

Firmware upgrade MX 16.x

Aztec_Ninja
Getting noticed
‎Jan 29 2022 12:35 AM
‎Jan 29 2022 12:35 AM

Firmware upgrade MX 16.x

After updating the firmware on our MX to 16.15 we started recieving IDS alerts - SERVER-OTHER Exim unauthenticated remote code execution attempt.

 

Sophos has a similar problem but released a patch.  

 

Anyone else expencing the same issue with their MX?

 

0 Kudos
13 Replies 13
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 31 2022 11:50 AM
‎Jan 31 2022 11:50 AM

I haven't seen that issue, but I don't think we have anyone using in house email anymore.  Everyone uses Office 365.

0 Kudos
HaniAbuelkhair4
Getting noticed
‎Jan 31 2022 12:04 PM
‎Jan 31 2022 12:04 PM

No issues and again Everyone uses Office 365

0 Kudos
tomas209ca
Getting noticed
‎Jan 31 2022 2:53 PM
‎Jan 31 2022 2:53 PM

i had these happened the last couple week and they have been going away. Biggest one i have now are mask-api.icloud.com

0 Kudos
PDubs5150
Conversationalist
‎Feb 1 2022 6:12 AM
‎Feb 1 2022 6:12 AM

We have seen this too... have an open ticket with Meraki support.

In response to PDubs5150
Aztec_Ninja
Getting noticed
‎Feb 17 2022 8:45 AM
‎Feb 17 2022 8:45 AM

Any update from Meraki support? 

 

I have found this to be internal IDS Traffic alerts.  Seems like an IDS false positive.  Our IDS settings are set to prevention and security, curious if you're using the same?

 

0 Kudos
In response to Aztec_Ninja
PDubs5150
Conversationalist
‎Feb 23 2022 10:22 AM
‎Feb 23 2022 10:22 AM

We never got a satisfactory answer from Meraki... they basically passed the buck. We are still seeing some "allowed" traffic flagged under the Exim event, almost exclusively from Google and Amazon addresses. Continuing to review with another one of our security vendors.

0 Kudos
In response to PDubs5150
jhopkins
Comes here often
‎Feb 23 2022 10:39 AM
‎Feb 23 2022 10:39 AM

Let us know what comes of it. Still trying to figure it out. I know Exim is SMTP traffic but its being triggered with TLS 1.2 connections. 

0 Kudos
jhopkins
Comes here often
‎Feb 23 2022 8:25 AM
‎Feb 23 2022 8:25 AM

Any updates on this? I have a ticket open about the same thing. Some of them are triggered just communicating with Meraki's website. 

0 Kudos
In response to jhopkins
Aztec_Ninja
Getting noticed
‎Feb 23 2022 8:27 AM
‎Feb 23 2022 8:27 AM

My ticket was closed by meraki support.  Was told they are not security consultants.  

 

How did you track this down to communicating with Meraki website? 

 

0 Kudos
In response to Aztec_Ninja
jhopkins
Comes here often
‎Feb 23 2022 8:39 AM
‎Feb 23 2022 8:39 AM

Interesting that would be their response. I will see what they say. The IP is in the log so just traced it back to Meraki's IP. 

0 Kudos
NBP
Conversationalist
‎Mar 9 2022 8:29 AM
‎Mar 9 2022 8:29 AM

I'm also suddenly receiving a bunch of these IDS alerts. Ours seemed to start after we added a second location/Meraki MX and configured a site-to-site VPN tunnel. The alerts are triggering on traffic traversing the site-to-site VPN tunnel, both on traffic destined to an internal server and outbound to the internet (AWS & Akamai addresses, etc).

0 Kudos
In response to NBP
jhopkins
Comes here often
‎Mar 10 2022 9:49 AM
‎Mar 10 2022 9:49 AM

Have you found why its being triggered or how to stop it besides Whitelist?

0 Kudos
In response to jhopkins
NBP
Conversationalist
‎Mar 10 2022 9:54 AM
‎Mar 10 2022 9:54 AM

No, I whitelisted the rule for now.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.