PRODUCT SECURITY ANNOUNCEMENT
AEROHIVE’S RESPONSE TO SECURITY ASSESSMENTS DATED 28 AUG 2014
SUMMARY
On August 28 2014 Security-Assessments (http://www.security-assessment.com/) published a vulnerability advisory regarding several issues in Aerohive’s HiveManager and HiveOS. Customers who have upgraded to the latest versions of HiveOS and HiveManager are already protected against most of these, and their exposure to the remaining items is via trusted administrative users who abuse their privileged access.
AFFECTED VERSIONS
Aerohive HiveManager (both on-premises and HiveManager Online) versions 6.1r3 and earlier are vulnerable to the identified issues.
Aerohive HiveOS versions 6.1r3 and earlier are vulnerable to the identified issues.
DETAILS
A total of 11 issues were reported. The majority of these issues were already fixed in the recent HiveOS and HiveManager 6.1r6 release, which most customers have upgraded to or have access to. A few are fixed in the 6.2r1 release of HiveOS and HiveManager, which will be available to customers starting around the middle of September. Two items require administrative access to HiveManager in order to exploit them, and will not be fixed before the Q4 release of HiveManager. The specific list of vulnerabilities they identified along with the current status of each appears below.
HiveManager arbitrary file read
This vulnerability was fixed in the HiveManager 6.1r6a release
HiveManager ‘upload’ Servlet Arbitrary File Upload
This vulnerability is fixed in HiveManager 6.2r1, releasing mid Sept
HiveManager debugserver Command Execution
This vulnerability was fixed in the HiveManager 6.1r6a release
HiveManager Multiple Password Disclosure
Three separate issues were identified. One of them was fixed in the HiveManager 6.1r5 release. The second was fixed in the HiveManager 6.1r6a release. The third issue can only be exploited by a trusted administrative account on an on-premises HiveManager by abusing their privileged access and gaining file system access (possibly by performing the subshell bypass mentioned below). This third issue is expected to be fixed in a future release of HiveManager.
HiveManager Reflected Cross Site Scripting
This vulnerability is fixed in HiveManager 6.2r1, releasing mid Sept
HiveManager SSH Keys with No Passphrase
This has been mitigated in HiveManager and HiveOS 6.2r1 as we now encrypt the private keys used by HiveOS and the system user used to facilitate tunnel formation used during normal operation no longer runs as root.
HiveManager Subshell Bypass
Subshell access is functionality only available in on-premises HiveManager. Exploiting this relies on a trusted administrative account on HiveManager abusing their privileged access. This is currently expected to be addressed in a future release of HiveManager.
HiveManager Unauthenticated Arbitrary File Upload
This vulnerability is fixed in HiveManager 6.2r1, releasing mid Sept
HiveOS Local File Inclusion
This vulnerability was fixed in the HiveOS 6.1r6 release
HiveOS Password Disclosure
This vulnerability was fixed in the HiveOS 6.1r6 release
HiveOS Unauthenticated Firmware Upload
This vulnerability was fixed in the HiveOS 6.1r6 release
DISCOVERY
These vulnerabilities were first reported to Aerohive by, and we extend our thanks to, Denis Andzakovic, Scott Bell, Nick Freeman, Thomas Hibbert, Carl Purvis, and Pedro Worcel, all of Security-Assessments.com (http://www.security-assessment.com/).
MITIGATION
Upgrade to the latest released software for your Aerohive products. As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access.
OBTAINING FIXED FIRMWARE
Aerohive customers can obtain the firmware and contact support as needed from our website after logging into the support portal at https://support.aerohive.com
Please, do not contact “security(at)aerohive.com” for software upgrades.
STATUS OF THIS NOTICE: Interim
Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory is posted on Aerohive’s website at:
http://www.aerohive.com/support/security-center/security-bulletins
Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
REVISION HISTORY
Revision 1 / 2014-09-05 / Initial release
AEROHIVE PSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at
http://www.aerohive.com/support/security-center
For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at
http://www.aerohive.com/support/security-center
© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.