'Aerohive Hive Manager and Hive OS Multiple Vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Aerohive Hive Manager and Hive OS Multiple Vulnerabilities
From:       Disclosure <Disclosure () security-assessment ! com>
Date:       2014-08-28 4:51:20
Message-ID: 5BA2A954B70D364EB058EB00B656CB87FB6400 () sa-exch02 ! security-assessment ! local
[Download RAW message or body]

(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Aerohive Hive Manager and Hive OS Multiple Vulnerabilities

Affected Versions: Aerohive Hive Manager (Stand-alone and Cloud) >= 6.1R3 and HiveOS \
                6.1R3
PDF: http://www.security-assessment.com/files/documents/advisory/Aerohive%20Hive%20Manager%20and%20Hive%20OS%20Multiple%20Vulnerabilities.pdf


+-------------+
> Description |
+-------------+

This document details multiple vulnerabilities found within the Aerohive Hive Manager \
and HiveOS software. These  vulnerabilities have been disclosed to the vendor on or \
before the 24th of April 2014. 

-- Hive Manager Arbitrary File Disclosure --
Leveraging directory traversal, a malicious user can retrieve arbitrary files from \
the Hive Manager file system. As the  Tomcat instance serving the Hive Manager \
software runs as the root user, this vulnerability can be used to read any  file off \
the file system, including sensitive files such as /etc/shadow.

-- Hive Manager Arbitrary File Upload --
An authenticated malicious user may send a crafted post to the ‘upload’ servlet and \
upload arbitrary files. As the  upload servlet is protected by HTTP basic \
authentication, this requires the knowledge of the scpuser’s password.

-- Hive Manager Debugserver Code Execution --
It was discovered that an authenticated user may send a crafted request to the Hive \
Manager ‘debugserver’ servlet  and execute arbitrary commands on the Hive Manager \
server.

-- Hive Manager Multiple Password Disclosure --
Multiple methods within the Hive Manager web interface were found to expose sensitive \
information such as  usernames and passwords. A malicious entity may leverage these \
disclosures to further compromise the Hive  Manager.

-- Hive Manager Reflected Cross Site Scripting --
Multiple Reflected Cross Site Scripting vulnerabilities were found within the Hive \
Manager software. These  vulnerabilities allow a malicious entity to potentially gain \
JavaScript execution within a legitimate user’s browser.  This is done with the aim \
of harming the user’s browser or hijacking their session.

-- Hive Manager SSH Keys Lacking Passphrase --
An SSH key was found on the Hive Manager file system without any passphrase set. This \
allows a malicious user  with access to the file system to gain unauthorised access \
to the system with root user privileges.

-- Hive Manager Subshell Bypass --
By using a crafted SSH command, a malicious user may gain root access to the Hive \
Manager with a fully functional  bash terminal, effectively bypassing the Aerohive \
subshell. This allows the malicious user to perform tasks on the  underlying CentOS \
Linux operating system, including the retrieval of private keys, passwords and other \
sensitive  information

-- Hive Manager Unauthenticated Arbitrary File Upload --
The Hive Manager HHMUploadServlet was found to suffer from an Unauthenticated \
Arbitrary File Upload  vulnerability. By sending a crafted packet to the servlet, a \
malicious entity is able to gain arbitrary code execution on  the Hive Manager \
server.

-- HiveOS Local File Inclusion --
Aerohive HiveOS was found to contain a Local File Inclusion Vulnerability within the \
web administrative interface.  The Local File Inclusion allows a malicious entity to \
control what files are included by the vulnerable PHP page. In  the event that the \
malicious entity is able to control an element on the file system, this results in \
arbitrary code  execution. As user controlled information is present within the \
log-files of the application, this is easily achievable.

-- HiveOS Password Disclosure --
Log files within the HiveOS operating system were found to disclose sensitive \
information such as usernames and  password. A malicious user may leverage this \
information to further compromise the Aerohive deployment or its  users.

-- HiveOS Unauthenticated Firmware Upload --
Insufficient authorisation checking was found to be being performed on certain \
firmware upload functions. This  allows for the upload of a backdoored or otherwise \
malicious firmware by an attacker.

+--------------+
> Exploitation |
+--------------+

Detailed exploitation information and code will be released in December 2014.

+------------+
> Workaround |
+------------+

Update to the latest version of Hive Manager and HiveOS software including the cloud \
solutions.

+--------+
> Credit |
+--------+

Denis Andzakovic, Scott Bell, Nick Freeman, Thomas Hibbert, Carl Purvis, Pedro \
Worcel.

+-----------------------------+
> About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.=


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic