PRODUCT SECURITY ADVISORY

AUTHENTICATED USER PRIVILEGE ESCALATION

SUMMARY

On Thursday 26 June 2018  Aerohive was contacted by a security researcher who reported he had discovered a method where authenticated administrative users could escalate their own privileges to root, giving them full access to the access point.
 
This vulnerability can only be exploited by authenticated administrative users on access points running specific versions of HiveOS. Once root privilege is acquired, the malicious user has full control over the device. They can potentially install, replace, manipulate local programs or files such as activity logs on the device, manipulate or insert frames into traffic traversing the access point or halt services provided by the access point.

 

AFFECTED PRODUCTS AND VERSIONS

  • Aerohive believes that HiveOS on access points, switches, CVG appliances, and BR and XR platforms, running the following versions of HiveOS, can be affected and should be updated promptly:
    • HiveOS versions 3.0r1 thru 6.5r9a, inclusive
    • HiveOS versions 6.6r1 thru 8.2r3, inclusive
    • HiveOS versions 8.3r1 thru 8.4r3, inclusive
  • Aerohive’s cloud management offerings HiveManager Classic and HiveManager is NOT vulnerable to this issue.
  • Aerohive’s on-premises appliance versions of HiveManager Classic (HMOP) are NOT vulnerable to this issue.
  • Aerohive’s on-premises version of HiveManager (NGVA) is NOT vulnerable to this issue.
  • Aerohive’s secure access management system, A3, is NOT vulnerable to this issue.

DETAILS

HiveOS is a closed system that operates on top of customized Linux kernel. Access to the underlying Linux kernel and file system is normally restricted to Aerohive field service technicians, Aerohive factory workers installing HiveOS, and internal developers and QA personnel. Each Aerohive device has a unique password related to the device serial number for access to the underlying Linux kernel’s shell command line.
 
Starting with software releases in August and September of 2018, Aerohive will release new versions of HiveOS which will change the algorithms used to provide access to the underlying Linux kernel’s shell command line. See the Mitigation section of this advisory for release versions and timeframes.

DISCOVERY

This vulnerability was brought to Aerohive’s attention by, and we offer our sincere thanks to,  Victorien Molle (biche@biche.re).

MITIGATION

  • Ensure that you do not use shared administrative accounts; each administrator should have its own account for forensic evidence, especially if using external syslog collectors.
  • Check the versions of HiveOS running on your access points, switches, CVG appliances, or BR or XR devices – upgrade promptly to the following versions of HiveOS:
    • HiveOS 6.5r10, planned for release in August 2018, or later release in this version (ie r11, r12, etc).
    • HiveOS 6.9r4, planned for release in September 2018, or later release in this version (ie r5, r6, etc).
    • HiveOS 8.2r4, planned for release in September 2018, or later release in this version (ie r5, r6, etc).
    • HiveOS 8.4r4, planned for release in August 2018, or any major or minor version greater than this (ie 8.4r5, 9.0r1, 10.0r1, etc)

As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of physical access control methods and network methods such as network-level ACLs to restrict access to sensitive equipment. Aerohive also offers the ability to completely deny access to either SSH or the console port via policy, see the following for more on this:

http://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-management-options.htm
http://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-traffic-filter.htm

STATUS OF THIS NOTICE: PRELIMINARY

Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
 
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aerohive’s website at:
https://www.aerohive.com/support/security-center/

Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

REVISION HISTORY

Revision 1.0 / 2018-07-31 INITIAL PUBLICATION

AEROHIVE PSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at:
https://www.aerohive.com/support/security-center/

For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:
https://www.aerohive.com/support/security-center/