PRODUCT SECURITY ANNOUNCEMENT

AEROHIVE’S RESPONSE TO SECURITY ASSESSMENTS DATED 28 AUG 2014


SUMMARY

On August 28 2014 Security-Assessments (http://www.security-assessment.com/) published a vulnerability advisory regarding several issues in Aerohive’s HiveManager and HiveOS. Customers who have upgraded to the latest versions of HiveOS and HiveManager are already protected against most of these, and their exposure to the remaining items is via trusted administrative users who abuse their privileged access.

AFFECTED VERSIONS

Aerohive HiveManager (both on-premises and HiveManager Online) versions 6.1r3 and earlier are vulnerable to the identified issues.

Aerohive HiveOS versions 6.1r3 and earlier are vulnerable to the identified issues.

DETAILS

A total of 11 issues were reported. The majority of these issues were already fixed in the recent HiveOS and HiveManager 6.1r6 release, which most customers have upgraded to or have access to. A few are fixed in the 6.2r1 release of HiveOS and HiveManager, which will be available to customers starting around the middle of September. Two items require administrative access to HiveManager in order to exploit them, and will not be fixed before the Q4 release of HiveManager. The specific list of vulnerabilities they identified along with the current status of each appears below.

HiveManager arbitrary file read

This vulnerability was fixed in the HiveManager 6.1r6a release

HiveManager ‘upload’ Servlet Arbitrary File Upload

This vulnerability is fixed in HiveManager 6.2r1, releasing mid Sept

HiveManager debugserver Command Execution

This vulnerability was fixed in the HiveManager 6.1r6a release

HiveManager Multiple Password Disclosure

Three separate issues were identified. One of them was fixed in the HiveManager 6.1r5 release. The second was fixed in the HiveManager 6.1r6a release. The third issue can only be exploited by a trusted administrative account on an on-premises HiveManager by abusing their privileged access and gaining file system access (possibly by performing the subshell bypass mentioned below). This third issue is expected to be fixed in a future release of HiveManager.

HiveManager Reflected Cross Site Scripting

This vulnerability is fixed in HiveManager 6.2r1, releasing mid Sept

HiveManager SSH Keys with No Passphrase

This has been mitigated in HiveManager and HiveOS 6.2r1 as we now encrypt the private keys used by HiveOS and the system user used to facilitate tunnel formation used during normal operation no longer runs as root.

HiveManager Subshell Bypass

Subshell access is functionality only available in on-premises HiveManager. Exploiting this relies on a trusted administrative account on HiveManager abusing their privileged access. This is currently expected to be addressed in a future release of HiveManager.

HiveManager Unauthenticated Arbitrary File Upload

This vulnerability is fixed in HiveManager 6.2r1, releasing mid Sept

HiveOS Local File Inclusion

This vulnerability was fixed in the HiveOS 6.1r6 release

HiveOS Password Disclosure

This vulnerability was fixed in the HiveOS 6.1r6 release

HiveOS Unauthenticated Firmware Upload

This vulnerability was fixed in the HiveOS 6.1r6 release

DISCOVERY

These vulnerabilities were first reported to Aerohive by, and we extend our thanks to, Denis Andzakovic, Scott Bell, Nick Freeman, Thomas Hibbert, Carl Purvis, and Pedro Worcel, all of Security-Assessments.com (http://www.security-assessment.com/).

MITIGATION

Upgrade to the latest released software for your Aerohive products. As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access.

OBTAINING FIXED FIRMWARE

Aerohive customers can obtain the firmware and contact support as needed from our website after logging into the support portal at https://support.aerohive.com

Please, do not contact “security(at)aerohive.com” for software upgrades.

STATUS OF THIS NOTICE: Interim

Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory is posted on Aerohive’s website at:

http://www.aerohive.com/support/security-center/security-bulletins

Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

REVISION HISTORY

Revision 1 / 2014-09-05 / Initial release

AEROHIVE PSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at

http://www.aerohive.com/support/security-center

For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at

http://www.aerohive.com/support/security-center

© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.