We woke up this morning to clients unable to access Office 365 and Cisco Duo. Cisco Meraki has posted about this in the community, but we can't reply with additional information because it is a service notice. So you can do this here if you have other apps break.
Cisco Duo was probably worse for us, as it prevented users from being able to log into their computers or access any corporate app.
If you are still experiencing this issue, turn IPS off, click save, and turn it back on again. This will get you the new signature immediately.
Anyone else with apps that broke feel free to reply.
Do we need to turn off both AMP and Intrusion detection and prevention ?
Turning Intrusion detection off and on again is enough.
Thanks. The more information the better we will be off.
ok, so turned off and on after a few minutes, i did both AMP and IDP and all my broke apps started to work again, in my case all the affected apps are in house devs, so this issue may expand further than just MS apps.
Looking at the thread where this was initially reported, most users found disabling and re-enabling only briefly fixed the issue.
Most users changed IDS from protection to detection too work around the issue.
We saw multiple apps affected. Duo, Datto RMM, Infor, Microsoft, Anyconnect because it uses Azure AD to authenticate, etc... Hated the lack of information in Microsoft's incident and Meraki's posture, the impact of that rule should have been assessed correctly.
Turning IPS off and back on again does not appear to have fixed all of our customers.
I think I'll just turn IPS off for a couple of hours till the new signature updates roll out.
hello guys
we got the below explanation from Meraki support engineer. actually, there is no enough information. but you can just take a look.
https://community.meraki.com/t5/Meraki-Service-Notices/Microsoft-vulnerability-and-IPS-SNORT/ba-p/15...
https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2022-35748
Also you can see following popup on Meraki dashboard.
10-Aug-2022: We have received reports of customers experiencing select Microsoft 365 service outages because of Snort rule 1-60381 blocking CVE-2022-35748. The Snort rules have been removed to reduce the impact. A fix has been pushed out at and any pending issues should auto-resolve by 3:00PM PST
We just tried a couple of apps about 10 minutes ago and No Joy!
Even though its way past 3 PM PST and they mentioned that no config changes are required, We are still unable to access those apps and our Security center is still shows numerous blocks to the same signature!
Hello @Dee120 unfortunately new announcement is below
'10-Aug-2022: We have received reports of customers experiencing select Microsoft 365 service outages because of Snort rule 1-60381 blocking CVE-2022-35748. The Snort rules have been removed to reduce the impact. A fix has been pushed out and any pending issues should auto-resolve by 6:00PM PST.'