PRODUCT SECURITY ANNOUNCEMENT

AEROHIVE’S RESPONSE TO CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187


SUMMARY

On September 23 2014 reports were published regarding a security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, which could leave systems running those operating systems open to exploitation by specially crafted attacks. Customers have asked about the exposure in Aerohive’s products. Aerohive customers are already protected against this.

AFFECTED PRODUCTS AND VERSIONS

Aerohive HiveOS (all versions) is not vulnerable. HiveOS does not use Bash.

Aerohive HiveManager (all versions up thru 6.2r1) shipped with a vulnerable version of Bash. The known network-exploitable vectors do not succeed in compromising this product.

Aerohive StudentManager uses a vulnerable version of Bash. The known network-exploitable vectors do not succeed in compromising this product.

Aerohive Mobility Suite (comprising ID Manager, Client Management, and Social Login) is not vulnerable. The known exploit vectors are not present in these products.

Aerohive cloud servers (MyHive, Redirector, License servers, etc) are not vulnerable. The known exploit vectors are not present in these products.

DETAILS

The bug is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

The Bash vulnerability, now dubbed by some as “Shellshock,” has been reportedly found in use by an active exploit against Web servers.

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A specially crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server.

GNU Bash through version 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Aerohive HiveManager does not use the Apache web server. The known exploit via secure shell (SSH) connections does not succeed in compromising the system. In the interest of prudence, on the evening of 25 September all production HiveManager OnLine servers, MyHive servers, and other cloud infrastructure were patched with an updated, non-vulnerable version of Bash. After it became known that the initial patch to Bash was incomplete and may have still had vulnerabilities, Aerohive again patched all production HiveManager OnLine servers, MyHive servers, and other cloud infrastructure on the evening of September 29 with the then-latest version of Bash.

Aerohive StudentManager does not use the Apache web server. The known exploit via secure shell (SSH) connections does not succeed in compromising the system.

DISCOVERY

The bug was originally discovered by Stéphane Chazelas and has been assigned CVE-2014-6271 by the National Vulnerability Database. Incomplete patches subsequently led to CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 among others.

IMPACT

May allow unauthorized disclosure of information; May allow unauthorized modification; May allow disruption of service.

CVSS v2 Base Score: 6.6 (AV:L/AC:M/AU:S/C:C/I:C/A:C)

MITIGATION

None needed for Aerohive HiveOS devices, Aerohive StudentManager, or Aerohive cloud products.

Customers who have On-premises HiveManager should immediately upgrade to version 6.1r6 or 6.2r1 and apply the patch supplied by Aerohive, or to upgrade to version 6.3r1 once it is available.

As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access.


OBTAINING FIXED FIRMWARE

Aerohive customers can obtain the firmware and contact support as needed from our website after logging into the support portal at https://support.aerohive.com

The specific files for this are hivemanager-bash-patch-32b.signed.tar.gz and hivemanager-bash-patch-64b.signed.tar.gz. Please note that these patches will only successfully be installed on HiveManager 6.1r6a or HiveManager 6.2r1a, and that the HiveManager version will not change after the patch is installed.

Please, do not contact “security(at)aerohive.com” for software upgrades.

STATUS OF THIS NOTICE: Interim

Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aerohive’s website at:

http://www.aerohive.com/support/security-center/security-bulletins

Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

REVISION HISTORY

Revision 1 / 2014-09-25 / Initial release

Revision 2 / 2014-10-02 / Final update

AEROHIVE PSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at

http://www.aerohive.com/support/security-center

For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at

http://www.aerohive.com/support/security-center

© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.