A configuration option for the Splash Page feature (also known as Captive Portal) in Cisco Meraki MR Series devices may allow an administrator to configure an 802.11 WLAN in which traffic policies are not applied to clients that are connecting to the network.
The insecure configuration is determined when an administrator configures a WLAN with Splash Page access control and Captive Portal strength is set to Allow non-HTTP traffic prior to sign-on.
While this setup is intended to provide wireless clients with connectivity before they interact with the Splash Page, traffic policies are applied only after the sign on is completed. A malicious user could take advantage of this insecure configuration to circumvent network policies such as firewall rules, content filtering, and traffic shaping that is configured to restrict traffic within the impacted WLAN.
Cisco Meraki does not consider this to be a vulnerability in Cisco Meraki MR Software or in the Splash Page feature. It is considered a configuration issue.
For more robust network security, Cisco Meraki recommends following the guidance in the Recommendations section of this advisory to make any appropriate configuration changes.
Note: The option is disabled by default on WLANs that were created through the Cisco Meraki Cloud Management Interface (also known as Dashboard) after December 4, 2020.
This advisory is available at the following link:
Security Impact Rating: Informational
Source:: Cisco Security Advisories