Cisco Meraki MX67 and MX68 Local Status Page Vulnerability Allowing Sensitive Information Disclosure

A vulnerability exists in the local status page feature of Cisco Meraki MX67 and MX68 security appliances. This issue may enable unauthenticated users to access and download logs containing sensitive device information. The vulnerability arises from inadequate access controls on files that store debugging and maintenance data, and can only be exploited if the local status page is activated on the device. An attacker could potentially retrieve wireless pre-shared keys, Site-to-Site VPN keys, and other confidential information, which might lead to administrative access on the device under certain conditions.

Impact

Exploitation of this vulnerability could allow unauthorized access to sensitive logs on the affected device, including wireless pre-shared keys and Site-to-Site VPN keys. This information could be used to gain administrative access to the device.

Remediation

Users are advised to schedule a firmware upgrade to version 14.39 or later for the MX67 model and version 15.12 or later for the MX68 model. Additionally, the local status page can be disabled manually or via the Dashboard API. After upgrading the firmware, it is recommended to change all passwords and secrets used with the MX devices for certain features, such as Site-to-Site VPN or Active Directory integrations.