Cisco Security Advisory
Cisco Meraki Local Status Page Configuration Hardening
-
Cisco Meraki devices implement a Local Status Page (LSP) feature. This is a web-based interface that is primarily intended to provide administrators with the ability to apply configuration settings that are required for the device to connect to the Cisco Meraki Dashboard, perform local troubleshooting, or monitor the device status.
The LSP requires authentication. When configured with the factory default settings, credentials for the LSP are comprised of the device hardware serial number as the username and an empty password. An attacker can take advantage of the low entropy of the default credentials as well as the lack of a mechanism that limits login attempts to carry out a brute-force attack against the LSP authentication form. If successful, the attacker may gain unauthorized access to the LSP and use it to modify sensitive configuration options, cause a denial of service (DoS) condition, or obtain low-privileged information.
The LSP is enabled by default.
Note: The hardware serial number is visible on the device surface and is printed on the shipment packaging.This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-lsp-7xySn6pj
-
Cisco Meraki devices are designed to be fully managed through a cloud management interface (Meraki Dashboard). In addition, Cisco Meraki devices include the LSP feature, which is a web administrative interface that is hosted locally on the device. The LSP feature is typically used during initial setup to apply configuration options that are needed for the device to connect to the Cisco Meraki Dashboard, monitor device status and utilization, and perform local troubleshooting.
The target audience for this informational advisory is Cisco Meraki customers who either have the LSP deployed with the factory default configuration or are unaware that the feature is available on their devices.
-
Cisco Meraki strongly encourages administrators who have the LSP capability set with the factory default credentials to review the configuration settings and change the factory default password to a strong password.
To modify the LSP factory default credentials, do the following:
- Log in to the Cisco Meraki dashboard.
- Navigate to Network-wide > General > Device configuration.
- Configure the Local credentials field with a user-defined strong password. This password and the username admin will be used as LSP credentials for all devices that belong to the network under configuration.
Note: The LSP can be disabled by a configuration change in the Cisco Meraki Dashboard. However, regardless of the setting, the LSP will remain active on devices that are equipped with a physical management port. Therefore, Cisco Meraki recommends that administrators change the factory default credentials.
The steps for changing the default password of the Local Status Page are outlined in the following document: Using the Cisco Meraki Device Local Status Page.
-
Cisco Meraki would like to thank Mohammed Adel of Safe Decision Cybersecurity Labs for the suggestion to raise awareness of LSP factory default credentials among Cisco Meraki customers.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial public release. - Final 2023-APR-05
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.