On Thursday 26 June 2018 Aerohive was contacted by a security researcher who reported he had discovered a method where authenticated administrative users could escalate their own privileges to root, giving them full access to the access point.
This vulnerability can only be exploited by authenticated administrative users on access points running specific versions of HiveOS. Once root privilege is acquired, the malicious user has full control over the device. They can potentially install, replace, manipulate local programs or files such as activity logs on the device, manipulate or insert frames into traffic traversing the access point or halt services provided by the access point.
HiveOS is a closed system that operates on top of customized Linux kernel. Access to the underlying Linux kernel and file system is normally restricted to Aerohive field service technicians, Aerohive factory workers installing HiveOS, and internal developers and QA personnel. Each Aerohive device has a unique password related to the device serial number for access to the underlying Linux kernel’s shell command line.
Starting with software releases in August and September of 2018, Aerohive will release new versions of HiveOS which will change the algorithms used to provide access to the underlying Linux kernel’s shell command line. See the Mitigation section of this advisory for release versions and timeframes.
This vulnerability was brought to Aerohive’s attention by, and we offer our sincere thanks to, Victorien Molle (firstname.lastname@example.org).
As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of physical access control methods and network methods such as network-level ACLs to restrict access to sensitive equipment. Aerohive also offers the ability to completely deny access to either SSH or the console port via policy, see the following for more on this:
Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory will be posted on Aerohive’s website at:
Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision 1.0 / 2018-07-31 INITIAL PUBLICATION
AEROHIVE PSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at:
For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: