PRODUCT SECURITY ANNOUNCEMENT

AEROHIVE’S RESPONSE TO "GHOST", AKA CVE-2015-0235


SUMMARY

On 27 January 2015 reports were published regarding a security vulnerability in GNU C Library (glibc), a common library of functions used in most Linux distributions and in many networking products. It is called the GHOST vulnerability as it can be triggered by the GetHOST functions.This is a buffer overflow vulnerability.

AFFECTED PRODUCTS AND VERSIONS

  • Aerohive HiveOS versions prior to 6.6r1 use vulnerable versions of the library.
  • Aerohive HiveManager on-premises versions prior to 6.6r1 use vulnerable versions of the library.
  • Aerohive HiveManager OnLine (HMOL), all versions, is not vulnerable. Library updates were performed the week of January 26.
  • Aerohive Mobility Suite (comprising ID Manager, Client Management, and Social Login) is not vulnerable. Library updates were performed the week of January 26.
  • Aerohive cloud servers (MyHive, Redirector, License servers, etc) are not vulnerable. Library updates were performed the week of January 26.
  • Aerohive HiveManager-NG is not vulnerable. Library updates were performed the week of January 26.

DETAILS

Ghost is a buffer overflow flaw. The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could, with enough knowledge about the target system, exploit the flaw to execute arbitrary code with the permissions of the user running the application. The glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks. The vulnerability also affects Linux programs written in Python, Ruby, and most other languages because they also rely on glibc.

To successfully exploit this vulnerability, the attacker must not only be able to place arbitrary data onto the system heap, but must also be able to force the vulnerable application or some other process within the target system to actually execute it. Aerohive does not believe this is possible on Aerohive access points, branch routers, or switches. As a matter of prudence, however, Aerohive intends to update glibc with the next scheduled release of HiveOS to mitigate any exposure here.
 
A blog discussing this has been published by Qualys, and is located at https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
The initial very technical discussion of this was published by Qualys at http://www.openwall.com/lists/oss-security/2015/01/27/9

DISCOVERY

Ghost was discovered by security researchers at Qualys. It has been assigned CVE-2015-0235 by the National Vulnerability Database.

IMPACT

May allow disruption of service.

CVSS v2 Base Score: 6.4  (AV:N/AC:L/Au:N/C:N/I:P/A:P)

MITIGATION

No action is needed for Aerohive cloud products, including HiveManager OnLine. These servers were all patched the week of January 26.

Customers who have On-premises HiveManager should immediately upgrade to versions 6.1r6c, 6.2r1c, 6.4r1b, or 6.4r2a (these will be released 17 March). Alternately, upgrade to version 6.6r1 when it becomes available in June.
 
HiveOS devices should be upgraded to version 6.6r1 when it becomes available in June.
 
Some HiveOS devices are not capable of running version 6.6r1 software. The last version of HiveOS for AP320/340 was version 6.1. Customers with these platforms should upgrade to version 6.1r6X when it is available. The last version of HiveOS for AP110/120/170 and BR100 was version 6.2. Customers with these platforms should upgrade to version 6.2rX when it is available. These versions of HiveOS are expected to be released (TBD).
 
StudentManager should be upgraded to version 1.2r2
 
As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access.


OBTAINING FIXED FIRMWARE

Aerohive customers can obtain the firmware and contact support as needed from our website after logging into the support portal at https://support.aerohive.com

Please, do not contact “security(at)aerohive.com” for software upgrades.

STATUS OF THIS NOTICE: Interim

Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of ourability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
 
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aerohive’s website at:
http://www.aerohive.com/support/security-center/security-bulletins

Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists ornewsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

REVISION HISTORY

Revision 1 / 2015-01-30 / Initial publication
Revision 2 / 2015-03-16 / Updated with version numbers and dates for mitigating releases of HiveOS and HiveManager

AEROHIVE PSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at
http://www.aerohive.com/support/security-center

For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.aerohive.com/support/security-center

© Copyright 2015 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.