Cisco Meraki devices implement a Local Status Page (LSP) feature. This is a web-based interface that is primarily intended to provide administrators with the ability to apply configuration settings that are required for the device to connect to the Cisco Meraki Dashboard, perform local troubleshooting, or monitor the device status.
The LSP requires authentication. When configured with the factory default settings, credentials for the LSP are comprised of the device hardware serial number as the username and an empty password. An attacker can take advantage of the low entropy of the default credentials as well as the lack of a mechanism that limits login attempts to carry out a brute-force attack against the LSP authentication form. If successful, the attacker may gain unauthorized access to the LSP and use it to modify sensitive configuration options, cause a denial of service (DoS) condition, or obtain low-privileged information.
The LSP is enabled by default.
Note: The hardware serial number is visible on the device surface and is printed on the shipment packaging.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-lsp-7xySn6pj
Security Impact Rating: Informational
Source:: Cisco Security Advisories