Read-only admin can cycle switch ports???

sungod · ‎10-17-2023

One of our customers contacted me after they had an issue with a switch port/connected device.

I was surprised when they told me they had cycled the port, they have only organization read access, they do not have any other permissions such as port management privileges.

I can see in the event log that the port was cycled a few times.

Is it really correct that a read-only admin can cycle ports? I would not expect read-only access to permit any impact on device operation.

MerakiGnome · ‎10-17-2023

Have you tried labbing that one @jscorb? I’m a read only admin for one particular customer so will take a look to see if I can cycle a switch port

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

MerakiGnome · ‎10-17-2023

Hi @jscorb , yep, that worked and can see the switch port being cycled in the event log.

Agree that this shouldn’t be allowed as a Read Only admin

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

sungod · ‎10-17-2023

Thanks for checking.

Guess I'll be opening yet another support case!

Raphael_L · ‎10-17-2023

Of course they can!

I can't find my old post about that. There is a list of things that R-O 'admins' can do that makes 0 sense. Let me find it.

Raphael_L · ‎10-17-2023

Here it is: https://community.meraki.com/t5/Switching/Live-Tools/m-p/179117

Okay , it's not a loooong list , but cable test and port cycle shouldn't be available to RO admins. The fact that there is no logs at all it also a big joke.

MerakiGnome · ‎10-17-2023

Ouch! Nearly been a year but that “feature” still remains.

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

Raphael_L · ‎10-17-2023

I can probably paste my actual case here but they have a weird definition of 'dashboard admin'.

They basicly said : working as expected , please make a wish/ feature request. 🙂

Also we had one of our 400-500 dashboard "admin" that was doing 1-48 cable test during the day and that affecting videoconference rooms... we couldn't find the culprit since there are NO logs. What a fun time we had last year !

sungod · ‎10-17-2023

'strewth!

Words fail me.

BlakeRichardson · ‎10-17-2023

Hmm theres a few odd things coming out, first the requirement for hardware to be part of a network to actually be "claimed" and now they fact RO admins can disrupt a network. I am not sure what part of read only isn't read only.

I would like the ability to have far more detail in the logs, it should be able option that Org admins can enable if they wish to. For those that can read detailed logs it's most likely going to cut down on support cases being opened which saves Meraki money but also means customers / MSP can resolve their own issues.

Win win for both sides.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

sungod · ‎10-18-2023

As expected, support say it's supposed to work like this, disappointing.

My response was that it's still incorrect behaviour and needs fixing, I asked them to escalate it.

Might be useful if a few more people could open a case for this, as it stands a malicious RO user with a bit of scripting knowledge could easily cause major problems across an organization.

We now have internal discussion to decide if/when we should start warning customers of the risk, as some of them want to have a lot of RO users.

MerakiGnome · ‎10-18-2023

Put out a post on social media ie LinkedIn and forward your customers to this post and also reference your TAC support case number. Might get some 👀 on it then.

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

sungod · ‎10-18-2023

Well, I just reported it as a vulnerability via Meraki's chosen route (bugcrowd), will see what happens.

Our internal security/systems people can decide what to do next with customers, I've more fun things I want to spend time on 🙂

sungod · ‎10-26-2023

Well, I've exhausted options with Meraki support and their security vulnerability reporting process.

A read-only user has the ability to carry out a denial of service, Meraki position (stated via both channels) is that it is 'intended behaviour'.

Time to warn customers.

TonyC1 · ‎10-26-2023

Hi @jscorb and Community!

First – thanks for raising this as a topic. While we initially designed the read-only role to include a user's ability to troubleshoot, and port cycle (along with all live tools) is seen as falling into that permissible category, we also fully recognize that this may or may not be the desired behavior based on your own organizational IT policies.

We are reviewing and further evaluating how we may add an explicit option to enable or disable this so to put this decision in our users' hands. We'll follow up when we have an update to share to address this concern and feedback.

Thanks for being Meraki MS customers, we value each of you. Be in touch!

~tony

Product Management, Meraki Switching