Meraki

Community

About SGenin

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

by in Wireless
‎Jul 9 2019 2:07 PM
1 Kudo
‎Jul 9 2019 2:07 PM
1 Kudo
The app uses DNS port to create a tunnel and channel all traffic inside it. It seems that Meraki is allowing DNS traffic to any IP in the background, even if our SSID settings are configured to block all traffic than the one listed in the walled garden.   Now the good news, pending further tests, is that we were able to block the app by creating layer 3 firewall rules preventing to use any DNS other than the DHCP provided ones but at MX level. Unfortunately when creating the same set of rules with the MR layer 3 firewall, it doesn't work and the tunnel can still be established over DNS.   So 2 problems: 1. Meraki allows DNS traffic to any server during the pre-auth phase. This makes it vulnerable to these apps creating tunnels over DNS. 2. The MR layer 3 firewall is not blocking DNS traffic for the SSID as opposed to the MX firewall. This makes it difficult to scale up a patch as our LAN clients are not using the same DNS servers (it's typically upstreamed to the ISP DNS). ... View more

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

by in Wireless
‎Jul 8 2019 11:12 AM
‎Jul 8 2019 11:12 AM
@jdsilva, allowing DNS only for Google in the AP firewall page didn't make the trick. VPN is still going through.   @SoCalRacer , that setting (block all access till sign-on is complete) is already enabled. I am a bit reluctant to block all ports you mentioned as they include HTTP/HTTPS... Last, that sponsor page uses the same splash mechanism and is also bypassed by the app (plus we spent hours and tons of $ developing and standardizing on that guest wifi branded portal).   We have advance security on all our MXs, setting content filtering to block "Proxy Avoidance and anonymizers" doesn't worked either... ... View more

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

by in Wireless
‎Jul 8 2019 10:40 AM
‎Jul 8 2019 10:40 AM
Our offices with Cisco WLCs were also impacted but we were able to block the app by amending settings and restrict the list of DNS servers that can be reached during the pre-auth phase.   On the Meraki platform, our settings are clearly saying to "Block all access until sign-on is complete". The walled garden listing the only sites accessible during the pre-auth process. Yet that app is still able to create the tunnel. ... View more

Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet access

by in Wireless
‎Jul 8 2019 10:32 AM
4 Kudos
‎Jul 8 2019 10:32 AM
4 Kudos
The issue was reported by one of our offices in Africa. External individuals were supposedly able to bypass the Meraki splash page to access to the Internet without restrictions. The security hole was successfully reproduced in our lab and it just takes 10 seconds to hack the SSID: - Connect to the open SSID - Launch the app called Psiphon (available for IOS or Android) - Start the Psiphon VPN, making sure all traffic is sent to the VPN   That's it, that Psiphon app seems to be able to create a VPN tunnel hidden in DNS packets. The tunnel is then used to route all traffic, even without being authenticated. We have hundreds of offices impacted and Meraki help desk reports: “this has been forwarded as a feature request and currently we don't have a way to block theses apps from bypassing the splash pages. I will attach this case to the request that was forwarded to the development team. Unfortunately, I am unable to give you a timeline for when the request will be fulfilled.”   It would seem that fixing such massive security hole for an enterprise grade solution would be a top priority. ... View more
© 2024 Cisco Systems, Inc.