The issue was reported by one of our offices in Africa. External individuals were supposedly able to bypass the Meraki splash page to access to the Internet without restrictions. The security hole was successfully reproduced in our lab and it just takes 10 seconds to hack the SSID:
- Connect to the open SSID
- Launch the app called Psiphon (available for IOS or Android)
- Start the Psiphon VPN, making sure all traffic is sent to the VPN
That's it, that Psiphon app seems to be able to create a VPN tunnel hidden in DNS packets. The tunnel is then used to route all traffic, even without being authenticated. We have hundreds of offices impacted and Meraki help desk reports:
“this has been forwarded as a feature request and currently we don't have a way to block theses apps from bypassing the splash pages. I will attach this case to the request that was forwarded to the development team. Unfortunately, I am unable to give you a timeline for when the request will be fulfilled.”
It would seem that fixing such massive security hole for an enterprise grade solution would be a top priority.
Our offices with Cisco WLCs were also impacted but we were able to block the app by amending settings and restrict the list of DNS servers that can be reached during the pre-auth phase.
On the Meraki platform, our settings are clearly saying to "Block all access until sign-on is complete". The walled garden listing the only sites accessible during the pre-auth process. Yet that app is still able to create the tunnel.
What about using the L3 firewall rules under Wireless > Configure > Firewall & traffic shaping to allow DNS to your servers, then deny all other UDP53?
The Psiphon website seems to say they tunnel over SSH/L2tpv3/IPSec. I can't find their docs saying they tunnel inside DNS. I'd really like to see that to see what their doing...
Sure. Let me find my notes. Here they are:
a.) Log in to your Cisco Wireless Controller
b.) Go to Controller/Internal DHCP Server/DHCP Scope, click your scope and take a note of your DNS servers. In my case these were 220.127.116.11 and 18.104.22.168.
Usually you have only two DNS servers, but it is also possible to set three.
c.) Go to Controller > Interfaces and take a note of your virtual address.
d.) Go to Security, Access Control Lists, Access Control Lists.
e.) Create a new Access Control List by clicking New. Name it Pre-Auth-ACL.
f.) Click the name of the newly created ACL.
g.) Add the following five rules, while keeping their order.
1. Permit, Source 0.0.0.0/0.0.0.0, Destination: 0.0.0.0/0.0.0.0, Protocol: Any, Source port: Any, Dest port: Any, Direction: outbound.
2. Permit, Source 0.0.0.0/0.0.0.0, Destination: (your virtual address)/0.0.0.0, Protocol: Any, Source port: Any, Dest port: DNS, Direction: inbound.
3. Permit, Source 0.0.0.0/0.0.0.0, Destination: (your primary DNS)/0.0.0.0, Protocol: Any, Source port: Any, Dest port: DNS, Direction: inbound.
4. Permit, Source 0.0.0.0/0.0.0.0, Destination: (your secondary DNS)/0.0.0.0, Protocol: Any, Source port: Any, Dest port: DNS, Direction: inbound.
(If you have a third DNS, add it here)
5. Deny, Source 0.0.0.0/0.0.0.0, Destination: 0.0.0.0/0.0.0.0, Protocol: Any, Source port: Any, Dest port: Any, Direction: inbound.
h. Go to WLANS, Select your guest network, Select Security, Layer 3, and set the newly created ACL as Preauthentication ACL for IPv4.
hi thanks for your reply
i think your senario is a bit different than me .
i have a layer 3 switch DHCP server that i only use the guest wifi to connect guest users to internet.
i am bit confused about my vitual ip 22.214.171.124 which network mask to use .?and which protocol to select for to select DNS as destination port . and is the dns host name a mandatory on my vitual interface page and which name to use ?
i have local DNS servers 10.11.159.3 and .2 but when i use 255.255.255.0 it doesn\t allow me it obliged me to use 255.255.255.255 as network mask .
kindly for your help thanks
DNS traffic has to pass in almost every captive portal setup, so this is not a Meraki issue per se. The fact that DNS can be used to tunnel data could of course be solved by DPI on Meraki but en more so on the DNS server in use. Umbrella for example would leverage its protocol knowledge to block this.
The issue here is that DNS to any public IP is allowed in the pre-auth phase. It should be allowed only to those servers which are handed out to client by DHCP. Those allowed should be captured and all answers should point to the captive server instead of the original answer. Cisco WLC is also vulnerable but that can be fixed by creating a pre-auth ACL.
1 - Check this setting on the SSID to see if it is set to block all access until sign-in is complete
Captive portal strength
2 - You might try L3 Firewall rules on that ssid to block the below ports that Psiphon uses, as I don't think you have the need for VPN users on an Open SSID
53, 80, 443, 554, 1935, 7070, 8000, 8001, 6971-6999.
3 - Also another option may be sponsored guest login
@jdsilva, allowing DNS only for Google in the AP firewall page didn't make the trick. VPN is still going through.
@SoCalRacer , that setting (block all access till sign-on is complete) is already enabled. I am a bit reluctant to block all ports you mentioned as they include HTTP/HTTPS... Last, that sponsor page uses the same splash mechanism and is also bypassed by the app (plus we spent hours and tons of $ developing and standardizing on that guest wifi branded portal).
We have advance security on all our MXs, setting content filtering to block "Proxy Avoidance and anonymizers" doesn't worked either...
What happens if you set your DHCP server to assign the Umbrella DNS to the guest clients? DNS tunneling should be blocked there (at least it would if you have an account and set it up like that).
Apart from that: you could run a packet capture for that client to analyze what‘s happening in the background. Based on that one could take proper action.
I faced same problem in my office actually we use work around not sure if it is suitable for you we change guest SSID authentication from Open to WPA2-Enterprise with Meraki Authentication with No splash page option so guest will not access your network to be able to send traffic until they are authenticated just needs to print few instruction for the guet how to access once you created their credential, Hope this is fitt to your setup and could be help,
SLR, can you please elaborate? Where do you set Umbrella and how will that stop tunneling over DNS?
We tried to set Custom DNS in the SSID settings, even that is not working in the pre-auth phase.
Based on what everyone has said here I'm not sure that just setting Umbrella in your DHCP scope would work. If DNS is allowed out to anywhere then it needs to be more.
There's an Umbrella integration available with MR where the AP actually intercepts DNS and redirects it to Umbrella. That could actually help here... But it's an additional license on a per AP basis.
Well, I am quite sure we don't want spend some more money this way just to plug this hole. It is possible to set custom DNS per SSID (Content filtering: custom DNS), we tried that, it did not work.
The app uses DNS port to create a tunnel and channel all traffic inside it. It seems that Meraki is allowing DNS traffic to any IP in the background, even if our SSID settings are configured to block all traffic than the one listed in the walled garden.
Now the good news, pending further tests, is that we were able to block the app by creating layer 3 firewall rules preventing to use any DNS other than the DHCP provided ones but at MX level. Unfortunately when creating the same set of rules with the MR layer 3 firewall, it doesn't work and the tunnel can still be established over DNS.
So 2 problems:
1. Meraki allows DNS traffic to any server during the pre-auth phase. This makes it vulnerable to these apps creating tunnels over DNS.
2. The MR layer 3 firewall is not blocking DNS traffic for the SSID as opposed to the MX firewall. This makes it difficult to scale up a patch as our LAN clients are not using the same DNS servers (it's typically upstreamed to the ISP DNS).