Meraki

Sid · ‎Jan 4 2018

Two questions:

Are Cisco firewalls (MX84, etc.) potentially vulnerable to Meltdown or Spectre? (I'm not sure what CPU is actually inside). If so, when will an update be available to mitigate the vulnerability?
Is there any filtering/protection available for meltdown or spectre based attacks to protect hardware behind Cisco firewalls?

Georg · ‎Jan 11 2018

We now have a blog (https://meraki.cisco.com/blog/2018/01/spectre-and-meltdown-vulnerabilities/) as well that provides additional information.

Cisco Meraki along with the Cisco Product and Security Incident Response Team (PSIRT) have completed the investigation

regarding the recently announced Spectre/Meltdown security vulnerability and have found that no Meraki devices are affected. Customers using vMX and VM concentrators need to ensure their virtual machines are secured. Customers using vMX should reach out to their Cloud Service Providers (CSP) and are advised to follow the steps recommended by their CSP.

For additional information regarding the vulnerability, please refer to the official PSIRTdisclosure.

View solution in original post

BHC_RESORTS · ‎Jan 4 2018

Not a Meraki employee - but my opinion is doubtful it could be exploited. Meraki has never publicly commented on the CPU inside the MX series (other than stating once that it was "x86 based") that I'm aware of. I thought some of the older models were ARM or custom ASIC, but they might indeed be x86. At the root of this issue it is basically a memory leak/exploit. The MXs (and the rest of the product lines) run a modified version of Linux, so a patch should be available.

As for #2, no. Just maintain good patching hygiene as patches are available for Linux, Windows, and OSX.

BHC Resorts IT Department

PhilipDAth · ‎Jan 4 2018

To exploit Meltdown or Spectre you have to be able to run code on the platform. Embedded systems, like Meraki, provide no way for you to run any code on the paltform except their own - so they are not affected.

These vulnerabilities are all about rogue code stealing data from another process running on the CPU.

I doubt anyone will be able to detect this until an active exploit exists, at which time a signature will be able to be created to match the exploit.

BHC_RESORTS · ‎Jan 4 2018

@PhilipDAth wrote:
To exploit Meltdown or Spectre you have to be able to run code on the platform. Embedded systems, like Meraki, provide no way for you to run any code on the paltform except their own - so they are not affected.

These vulnerabilities are all about rogue code stealing data from another process running on the CPU.

I doubt anyone will be able to detect this until an active exploit exists, at which time a signature will be able to be created to match the exploit.

True, but it is probably technically possible for someone to create a malformed packet that might bypass protection checks. Likely? Not at all. But probably possible.

BHC Resorts IT Department

PhilipDAth · ‎Jan 4 2018

I don't think so @BHC_RESORTS

The vulnerability requires you to execute code. The vulnerability exploits an issue with the CPU speculatively running code, and allows memory to be read from another protected execution environment.

So a stray packet would have to some how cause code to be executed, somehow cause the speculative scheduler to abort, read the memory from another protected process from the CPU cache, and then somehow put it back into another packet and send it out.

It's not like running code on a PC or phone where there is a way to actually get code onto the device, run the code, retrieve the memory contents of another process, and then do something with it.

It's not going to happen. It would say there is a greater probability I will die tomorrow.

sanoopsec · ‎Jan 6 2018

As per cisco In order to exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. Although, the underlying CPU and OS combination in a product may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code on the device, and thus are not vulnerable. There is no vector to exploit them.

A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends customers harden their virtual environment and to ensure that all security updates are installed.

mmmmmmark · ‎Jan 4 2018

The MX84 use the Intel Atom C2000 line as they are susceptible to the clock signal issue. Not sure about the other MX lines though.

DCooper · ‎Jan 9 2018

Cisco Meraki is aware of the public discussion about security researcher findings relating to vulnerabilities in certain modern CPU architectures. Our team, together with the Cisco PSIRT team, is following our well-established process to investigate all aspects of the issue and evaluate potential impact on Cisco Meraki products.

Based on the limited information currently available, we do not expect this issue to affect any Cisco Meraki products. After a thorough investigation is completed we will share additional details through our established disclosure processes.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechann...

Sid · ‎Jan 9 2018

Thank you @DCooper for your response.

BlakeRichardson · ‎Jan 9 2018

Most hackers want personal data i.e. passwords, Credit card, passport and other personal information. Unless they are hell bent of technological warfare most are going to bother trying to hack security appliances where most of there traffic is SSL encrypted anyway.

As previously stated the best approach is make sure all of your client devices are patched.

Georg · ‎Jan 11 2018