PRODUCT SECURITY ANNOUNCEMENT

AEROHIVE’S RESPONSE TO "POODLE", AKA CVE-2014-3566


SUMMARY

On October 14 2014 reports were published regarding a security vulnerability in the design of SSL version 3.0. This vulnerability targets SSL clients and allows the plaintext of secure connections to be calculated by a network attacker.

AFFECTED PRODUCTS AND VERSIONS

  • Aerohive HiveOS (all versions) is vulnerable.
  • Aerohive HiveManager (all versions, both on-premises and HMOL) were vulnerable.
  • Aerohive Mobility Suite (comprising ID Manager, Client Management, and Social Login) was vulnerable.
  • Aerohive cloud servers (MyHive, Redirector, License servers, etc) were vulnerable.
  • Aerohive HiveManager-NG is not vulnerable. Front-end load-balancing servers were patched the evening of Oct 16 to disable SSLv3.

DETAILS

POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, was discovered by three Google security engineers—Bodo Moller, Thai Duong and Krzysztof Kotowicz.

POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server.  POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service such as HiveManager and then take over your accounts without needing your password.
 
To exploit the vulnerability, the target (you) must be running javascript, and the attacker has to be on the same network as you—for example, on the same Wi-Fi network you’re using, and the attacker has to be able to inject traffic into the conversation between your client and the server, i.e. an Open SSID.
 
The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3. Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that attempt to use SSLv3 as an alternative whenever a TLS connection to a web server fails. An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.

DISCOVERY

The bug was originally discovered by three Google security engineers—Bodo Moller, Thai Duong, and Krzysztof Kotowicz. It has been assigned CVE-2014-3566 by the National Vulnerability Database.

IMPACT

May allow unauthorized disclosure of information; May allow unauthorized modification; May allow disruption of service.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

MITIGATION

Since this is an attack against client browsers, the best defense is to harden the client browsers by inhibiting the use of SSLv3.

If you cannot harden the client browsers, using Wifi secured with PSK, Private PSK, or 802.1x will hinder the ability for attackers to inject themselves into the conversations between your client and servers.
 
No action is needed for Aerohive cloud products, including HiveManager OnLine. These servers were all patched the weekend of Oct 25/26.
 
Customers who have On-premises HiveManager should immediately upgrade to version 6.2r1 and apply the 6.2r1b patch, or to upgrade to version 6.3r1.
 
HiveOS devices should be upgraded to version 6.4r1.
 
Some HiveOS devices are not capable of running version 6.4r1 software. The last version of HiveOS for AP320/340 was version 6.1. Customers with these platforms should upgrade to version 6.1r6b when it is available. The last version of HiveOS for AP110/120/170 and BR100 was version 6.2. Customers with these platforms should upgrade to version 6.2r1b when it is available. These versions of HiveOS are expected to be released in late December.

StudentManager should be upgraded to version 1.2r1.
 
As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access.


OBTAINING FIXED FIRMWARE

Aerohive customers can obtain the firmware and contact support as needed from our website after logging into the support portal at https://support.aerohive.com

Please, do not contact “security(at)aerohive.com” for software upgrades.

STATUS OF THIS NOTICE: Final

Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of ourability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
 
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aerohive’s website at:
http://www.aerohive.com/support/security-center/security-bulletins

Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

REVISION HISTORY

Revision 1 / 2014-10-24 / Initial publication
Revision 2 / 2014-11-21 / Updated Mitigation section with additional info regarding HiveOS releases
Revision 3 / 2014-12-19 / Updated Mitigation section with information regarding StudentManager

AEROHIVE PSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at
http://www.aerohive.com/support/security-center

For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.aerohive.com/support/security-center

© Copyright 2014 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete andunmodified, including all date and version information.