MX-64 security flaw? Configuration settings are change alerts

SOLVED
PentagonSystems
Here to help

MX-64 security flaw? Configuration settings are change alerts

Hi Everyone,

 

Did anyone else notice that if your MX is set up to send alerts to administrators whenever configuration settings are changed, you can go into the alerts settings (if you have the appropriate privileges), uncheck that setting, save the setting, make whatever changes you'd like, go back into alerts, check the setting again, save, and log out, and no alerts will be generated or sent? 

 

Sure you can still see the changes made in the event log, but I would think that, at a minimum, admins would get an alert when the 'configuration settings are changed' is changed from checked to unchecked.  Am I imagining things, or is this a security/audit concern?

1 ACCEPTED SOLUTION

Community members – Thank you for bringing this to our attention. We have addressed this bug; disabling the alert itself will now generate a change alert again.

View solution in original post

17 REPLIES 17
MerakiJockey505
Building a reputation

@PentagonSystems, I agree that definitely seems like a security issue.  I am going to have to give it a try on the the MX65 - MX100 out of production time to see if that is the case across all models.  A little concerning.

JPAWELCHAK
Getting noticed

I have indeed noticed the same but have little success submitting such issues via Cisco Meraki Enterprise Support. Furthermore, nothing I have ever entered in "I wish this page..." section of the Meraki Dashboard ever gets acknowledges as being put on the roadmap. Even worse when you mention things to support agents like the issue you mention the support agent suggests raising it with a Product Manager. One would think this sort of thing qualifies as you classify it a "Security Flaw" needing to be addressed.

CHARTER
Forward, Together
BowlesCR
Here to help

 This is not restricted to MX either, I've seen this behavior across all Meraki products.

MerakiJockey505
Building a reputation

@PentagonSystems@BowlesCR@JPAWELCHAKWe should definitely add it to the make a wish board on this community.  Fortunately we can at least tag Meraki staff and know that it's going to an actual person and not just on a spreadsheet somewhere.  I will definitely Kudo and push for that wish as well as get my colleagues to do the same.

BHC_RESORTS
Head in the Cloud


@PentagonSystems wrote:

Hi Everyone,

 

Did anyone else notice that if your MX is set up to send alerts to administrators whenever configuration settings are changed, you can go into the alerts settings (if you have the appropriate privileges), uncheck that setting, save the setting, make whatever changes you'd like, go back into alerts, check the setting again, save, and log out, and no alerts will be generated or sent? 

 

Sure you can still see the changes made in the event log, but I would think that, at a minimum, admins would get an alert when the 'configuration settings are changed' is changed from checked to unchecked.  Am I imagining things, or is this a security/audit concern?


I'd suggest sending it to security@meraki.com as mentioned here: https://meraki.cisco.com/trust#srp

BHC Resorts IT Department

Please do submit via the process BHC outlined. I will also bring this to the attention of our developers, thanks for reporting
TonyC
Meraki Employee
Meraki Employee

All,

 

I have submitted this to our product/engineering team, will keep everyone posted but no need to make additional submissions.

Come on Meraki @TonyC ,

 

I just tested this again and it STILL IS NOT RESOLVED! Am i to assume this is indication of just how seriously Meraki takes security flaws of this nature (or not)? This is nothing short of security flaw that needs to be address and given the priority security flaws are due and not treated as a simple nice to have feature request. Get this fixed!

 

 

CHARTER
Forward, Together

Community members – Thank you for bringing this to our attention. We have addressed this bug; disabling the alert itself will now generate a change alert again.

What code release will this enhancement come out.

 

This was a cloud-based change, does not require any firmware changes.

ARiK_LeV
Conversationalist

Why don't we  all just submit a  High Priority   ticket for this issue.   If they  get the same requests for the same issue it will kick this up the ladder pretty quickly.   Submit one ticket per Org.   Lots of cut and paste.


@ARiK_LeV wrote:

Why don't we  all just submit a  High Priority   ticket for this issue.   If they  get the same requests for the same issue it will kick this up the ladder pretty quickly.   Submit one ticket per Org.   Lots of cut and paste.


Seems silly to report an issue you don't have. Also, there is the old tale of the boy who cried wolf...personally I only submit tickets for issues I personally experience, but that's just me.

BHC Resorts IT Department


@BHC_RESORTS wrote:

@ARiK_LeV wrote:

Why don't we  all just submit a  High Priority   ticket for this issue.   If they  get the same requests for the same issue it will kick this up the ladder pretty quickly.   Submit one ticket per Org.   Lots of cut and paste.


Seems silly to report an issue you don't have. Also, there is the old tale of the boy who cried wolf...personally I only submit tickets for issues I personally experience, but that's just me.


Completely agreed BHC_RESORTS multiple tickets not required or appropriate, however, the issue as described is an issue that affects everyone that uses the Meraki Dashboard not just a subset of people using specific hardware. Someone from Meraki has said they will run this up the ladder, if they don't and doesn't get resolved then egg on their and Meraki Community's face.

CHARTER
Forward, Together
SteveM
Here to help

I know you can get email alerts or snmp alerts with wireless settings in dashboard - is this not the same for MX'S??  


@SteveM wrote:

I know you can get email alerts or snmp alerts with wireless settings in dashboard - is this not the same for MX'S??  


Yes of course you can. However, I think people are misunderstanding the issue being that anyone as an admin can turn of alerts for changes made to the dashboard, make changes at will and then turn alerts back on all without a single alert/notification ever being fired off by the dashboard. It would be logical that if alerts are turned off OR turned on that an alert be sent. This has been an issue with the Meraki dashboard since I started using it in 2010/2011 that impacts not just the MX64 but changes made to all devices.
 

CHARTER
Forward, Together

Thanks - I didn't know if the toggling on/off that feature itself would generate a log report to send as a default.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels