CVE-2018-0284

A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files. The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.

CVSS v3.0 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki	Vendor Advisory
http://www.securityfocus.com/bid/105878	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:cisco:meraki_mr_24_firmware::::::::
	cpe:2.3:o:cisco:meraki_mr_25_firmware::::::::

cpe:2.3:h:cisco:meraki_mr:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:cisco:meraki_ms_10_firmware::::::::
	cpe:2.3:o:cisco:meraki_ms_9_firmware::::::::

cpe:2.3:h:cisco:meraki_ms:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:cisco:meraki_mx_15_firmware::::::::
	cpe:2.3:o:cisco:meraki_mx_14_firmware::::::::
	cpe:2.3:o:cisco:meraki_mx_13_firmware::::::::

cpe:2.3:h:cisco:meraki_mx:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:cisco:meraki_mx_15_firmware::::::::
	cpe:2.3:o:cisco:meraki_mx_13_firmware::::::::
	cpe:2.3:o:cisco:meraki_mx_14_firmware::::::::

cpe:2.3:h:cisco:meraki_z1:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:o:cisco:meraki_mx_15_firmware::::::::
	cpe:2.3:o:cisco:meraki_mx_13_firmware::::::::
	cpe:2.3:o:cisco:meraki_mx_14_firmware::::::::

cpe:2.3:h:cisco:meraki_z3:-:*:*:*:*:*:*:*

Information

Published : 2018-11-08 08:29

Updated : 2019-10-09 16:31

NVD link : CVE-2018-0284

Mitre link : CVE-2018-0284

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

cisco

meraki_mr_24_firmware
meraki_ms_10_firmware
meraki_ms
meraki_mx_14_firmware
meraki_mx_15_firmware
meraki_mx_13_firmware
meraki_z3
meraki_mr_25_firmware
meraki_mr
meraki_ms_9_firmware
meraki_mx
meraki_z1

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2018-0284

6.5^/10

4.0^/10

Attach tags to `CVE-2018-0284`