Extreme Networks Aerohive HiveOS <=11.x Remote Denial of Service Exploit
Title: Extreme Networks Aerohive HiveOS <=11.x Remote Denial of Service Exploit
Advisory ID: ZSL-2020-5566
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 05.05.2020
[23.01.2020] Vendor contacted.
[23.01.2020] Vendor provides security e-mail.
[23.01.2020] Reported vulnerability to vendor.
[23.01.2020] Vendor responds asking more details.
[23.01.2020] Sent details to the vendor.
[23.01.2020] Vendor begins investigation, providing quick remediation to disable the web-server UI.
[23.01.2020] Replied to the vendor.
[06.02.2020] Asked vendor for status update.
[06.02.2020] Information has been passed to engineering team, waiting for status update.
[10.02.2020] Replied to the vendor.
[25.02.2020] Asked vendor for status update.
[25.02.2020] Vendor waiting for feedback from engineering team.
[25.02.2020] Replied to the vendor with scheduled advisory release date.
[04.05.2020] No response from the vendor.
[05.05.2020] Public security advisory released.
[2] https://www.exploit-db.com/exploits/48441
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/181649
[4] https://advisories.ncsc.nl/advisory?id=NCSC-2020-0367
[08.05.2020] - Added reference [1] and [2]
[10.05.2020] - Added reference [3] and [4]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2020-5566
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 05.05.2020
Summary
Aerohive HiveOS is the network operating system that powers all Aerohive access points, based on a feature-rich Cooperative Control architecture. HiveOS enables Aerohive devices to organize into groups, or 'hives', which allows functionality like fast roaming, user-based access control and fully stateful application-aware firewall policies, as well as additional security and RF networking features - all without the need for a centralized or dedicated controller.Description
An unauthenticated malicious user can trigger a Denial of Service (DoS) attack when sending specific application layer packets towards the Aerohive NetConfig UI. This PoC exploit renders the application unusable for 305 seconds or 5 minutes with a single HTTP request using the action.php5 script calling the CliWindow function thru the _page parameter, denying access to the web server hive user interface.Vendor
Extreme Networks - https://www.extremenetworks.comAffected Version
<=11.xTested On
Hiawatha v9.6Vendor Status
[05.12.2019] Vulnerability discovered.[23.01.2020] Vendor contacted.
[23.01.2020] Vendor provides security e-mail.
[23.01.2020] Reported vulnerability to vendor.
[23.01.2020] Vendor responds asking more details.
[23.01.2020] Sent details to the vendor.
[23.01.2020] Vendor begins investigation, providing quick remediation to disable the web-server UI.
[23.01.2020] Replied to the vendor.
[06.02.2020] Asked vendor for status update.
[06.02.2020] Information has been passed to engineering team, waiting for status update.
[10.02.2020] Replied to the vendor.
[25.02.2020] Asked vendor for status update.
[25.02.2020] Vendor waiting for feedback from engineering team.
[25.02.2020] Replied to the vendor with scheduled advisory release date.
[04.05.2020] No response from the vendor.
[05.05.2020] Public security advisory released.
PoC
hiveosdos.shCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/157587[2] https://www.exploit-db.com/exploits/48441
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/181649
[4] https://advisories.ncsc.nl/advisory?id=NCSC-2020-0367
Changelog
[05.05.2020] - Initial release[08.05.2020] - Added reference [1] and [2]
[10.05.2020] - Added reference [3] and [4]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk