PRODUCT SECURITY ANNOUNCEMENT

AEROHIVE'S RESPONSE TO MELTDOWN AND SPECTRE (JAN 5, 2018)

 

SUMMARY

On Thursday 04 January 2018 CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 were published in response to research from Google’s Project Zero, among others, related to side-channel analysis of speculative execution on modern computer processors.

These attacks have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715 and CVE-2017-5753) and have their own namesake website, at https://meltdownattack.com/ and at https://spectreattack.com/

These hardware vulnerabilities can be exploited by local programs on a given host processor to get hold of secrets stored in the memory of other running programs. All Aerohive products are closed systems, not allowing the installation of third-party applications. Because of this, Aerohive believes that these vulnerabilities cannot be exploited on Aerohive products in their normal configurations.

 

AFFECTED PRODUCTS AND VERSIONS

  • Aerohive believes that HiveOS on access points, switches, CVG appliances, and BR platforms, all versions, are NOT affected, as exploiting these vulnerabilities rely on installing and executing a specially-crafted application and non-Aerohive software cannot be installed on these products.
  • Aerohive’s cloud management offerings HiveManager Classic and HiveManager NG have already had their underlying operating systems and hypervisors patched and are NOT vulnerable to other applications on the same host hardware. Aerohive customers cannot install their own applications on these platforms, so they cannot affect other cloud customers either.
  • Aerohive’s on-premises appliance versions of HiveManager Classic (HMOP) are closed systems not allowing the installation of third-party applications and therefore in normal configurations these named attacks cannot be exploited.
  • Aerohive’s on-premises version of HiveManager-NG (NGVA) is a closed system not allowing the installation of third-party applications and therefore in normal configurations these named attacks cannot be exploited against other VMs on the same host. We recommend customers review https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html for guidance on securing your virtualization environment to protect NGVA from other applications on the same host.
  • Aerohive’s VPN Gateway virtual appliance (also known as CVG) is a closed system not allowing the installation of third-party applications and therefore in normal configurations these named attacks cannot be exploited against other VMs on the same host. We recommend customers review https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html for guidance on securing your virtualization environment to protect CVG from other applications on the same host.

DETAILS

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

Specific details on these can be retrieved from the namesake website https://meltdownattack.com/ and https://spectreattack.com

IMPACT

May allow unauthorized disclosure of information.

MITIGATION

  • HiveOS access points, switches, CVG appliances, or BR devices – No mitigation needed.
  • Aerohive cloud products (HMOL, HM-NG) – No mitigation needed.
  • VPN Gateway virtual appliance, also known as CVG – Review https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html for guidance on securing your virtualization environment to protect CVG against other applications.
  • on-premises HiveManager (HMOP) – No mitigation needed.
  • on-premises HiveManager-NG (NGVA) – Review https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html for guidance on securing your virtualization environment to protect NGVA against other applications.

As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of physical access control methods and network methods such as network-level ACLs to restrict access to sensitive equipment.

STATUS OF THIS NOTICE: PRELIMINARY

Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aerohive’s website at:
https://www.aerohive.com/support/security-center/

Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

REVISION HISTORY

Revision 1.0 / 2018-01-05 INITIAL PUBLICATION

AEROHIVE PSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at:
https://www.aerohive.com/support/security-center/

For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:
https://www.aerohive.com/support/security-center/

© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.