cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX-64 security flaw? Configuration settings are change alerts

SOLVED
Highlighted
Here to help

MX-64 security flaw? Configuration settings are change alerts

Hi Everyone,

 

Did anyone else notice that if your MX is set up to send alerts to administrators whenever configuration settings are changed, you can go into the alerts settings (if you have the appropriate privileges), uncheck that setting, save the setting, make whatever changes you'd like, go back into alerts, check the setting again, save, and log out, and no alerts will be generated or sent? 

 

Sure you can still see the changes made in the event log, but I would think that, at a minimum, admins would get an alert when the 'configuration settings are changed' is changed from checked to unchecked.  Am I imagining things, or is this a security/audit concern?

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki Employee

Re: MX-64 security flaw? Configuration settings are change alerts

Community members – Thank you for bringing this to our attention. We have addressed this bug; disabling the alert itself will now generate a change alert again.
17 REPLIES 17
Building a reputation

Re: MX-64 security flaw? Configuration settings are change alerts

@PentagonSystems, I agree that definitely seems like a security issue.  I am going to have to give it a try on the the MX65 - MX100 out of production time to see if that is the case across all models.  A little concerning.

Getting noticed

Re: MX-64 security flaw? Configuration settings are change alerts

I have indeed noticed the same but have little success submitting such issues via Cisco Meraki Enterprise Support. Furthermore, nothing I have ever entered in "I wish this page..." section of the Meraki Dashboard ever gets acknowledges as being put on the roadmap. Even worse when you mention things to support agents like the issue you mention the support agent suggests raising it with a Product Manager. One would think this sort of thing qualifies as you classify it a "Security Flaw" needing to be addressed.

Cohort Networks Inc.
Your Business. Connected.
Here to help

Re: MX-64 security flaw? Configuration settings are change alerts

 This is not restricted to MX either, I've seen this behavior across all Meraki products.

Building a reputation

Re: MX-64 security flaw? Configuration settings are change alerts

@PentagonSystems@BowlesCR@Cohort_NetworksWe should definitely add it to the make a wish board on this community.  Fortunately we can at least tag Meraki staff and know that it's going to an actual person and not just on a spreadsheet somewhere.  I will definitely Kudo and push for that wish as well as get my colleagues to do the same.

Building a reputation

Re: MX-64 security flaw? Configuration settings are change alerts


@PentagonSystems wrote:

Hi Everyone,

 

Did anyone else notice that if your MX is set up to send alerts to administrators whenever configuration settings are changed, you can go into the alerts settings (if you have the appropriate privileges), uncheck that setting, save the setting, make whatever changes you'd like, go back into alerts, check the setting again, save, and log out, and no alerts will be generated or sent? 

 

Sure you can still see the changes made in the event log, but I would think that, at a minimum, admins would get an alert when the 'configuration settings are changed' is changed from checked to unchecked.  Am I imagining things, or is this a security/audit concern?


I'd suggest sending it to security@meraki.com as mentioned here: https://meraki.cisco.com/trust#srp

BHC Resorts IT Department
Meraki Employee

Re: MX-64 security flaw? Configuration settings are change alerts

Please do submit via the process BHC outlined. I will also bring this to the attention of our developers, thanks for reporting
Conversationalist

Re: MX-64 security flaw? Configuration settings are change alerts

Why don't we  all just submit a  High Priority   ticket for this issue.   If they  get the same requests for the same issue it will kick this up the ladder pretty quickly.   Submit one ticket per Org.   Lots of cut and paste.

Building a reputation

Re: MX-64 security flaw? Configuration settings are change alerts


@ARiK_LeV wrote:

Why don't we  all just submit a  High Priority   ticket for this issue.   If they  get the same requests for the same issue it will kick this up the ladder pretty quickly.   Submit one ticket per Org.   Lots of cut and paste.


Seems silly to report an issue you don't have. Also, there is the old tale of the boy who cried wolf...personally I only submit tickets for issues I personally experience, but that's just me.

BHC Resorts IT Department
Here to help

Re: MX-64 security flaw? Configuration settings are change alerts

I know you can get email alerts or snmp alerts with wireless settings in dashboard - is this not the same for MX'S??  

Getting noticed

Re: MX-64 security flaw? Configuration settings are change alerts


@SteveM wrote:

I know you can get email alerts or snmp alerts with wireless settings in dashboard - is this not the same for MX'S??  


Yes of course you can. However, I think people are misunderstanding the issue being that anyone as an admin can turn of alerts for changes made to the dashboard, make changes at will and then turn alerts back on all without a single alert/notification ever being fired off by the dashboard. It would be logical that if alerts are turned off OR turned on that an alert be sent. This has been an issue with the Meraki dashboard since I started using it in 2010/2011 that impacts not just the MX64 but changes made to all devices.
 

Cohort Networks Inc.
Your Business. Connected.
Here to help

Re: MX-64 security flaw? Configuration settings are change alerts

Thanks - I didn't know if the toggling on/off that feature itself would generate a log report to send as a default.  

Getting noticed

Re: MX-64 security flaw? Configuration settings are change alerts


@BHC_RESORTS wrote:

@ARiK_LeV wrote:

Why don't we  all just submit a  High Priority   ticket for this issue.   If they  get the same requests for the same issue it will kick this up the ladder pretty quickly.   Submit one ticket per Org.   Lots of cut and paste.


Seems silly to report an issue you don't have. Also, there is the old tale of the boy who cried wolf...personally I only submit tickets for issues I personally experience, but that's just me.


Completely agreed BHC_RESORTS multiple tickets not required or appropriate, however, the issue as described is an issue that affects everyone that uses the Meraki Dashboard not just a subset of people using specific hardware. Someone from Meraki has said they will run this up the ladder, if they don't and doesn't get resolved then egg on their and Meraki Community's face.

Cohort Networks Inc.
Your Business. Connected.
Meraki Employee

Re: MX-64 security flaw? Configuration settings are change alerts

All,

 

I have submitted this to our product/engineering team, will keep everyone posted but no need to make additional submissions.

Getting noticed

Re: MX-64 security flaw? Configuration settings are change alerts

Come on Meraki @TonyC ,

 

I just tested this again and it STILL IS NOT RESOLVED! Am i to assume this is indication of just how seriously Meraki takes security flaws of this nature (or not)? This is nothing short of security flaw that needs to be address and given the priority security flaws are due and not treated as a simple nice to have feature request. Get this fixed!

 

 

Cohort Networks Inc.
Your Business. Connected.
Meraki Employee

Re: MX-64 security flaw? Configuration settings are change alerts

Community members – Thank you for bringing this to our attention. We have addressed this bug; disabling the alert itself will now generate a change alert again.
Here to help

Re: MX-64 security flaw? Configuration settings are change alerts

What code release will this enhancement come out.

 

Meraki Employee

Re: MX-64 security flaw? Configuration settings are change alerts

This was a cloud-based change, does not require any firmware changes.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.