what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Aerohive Hive Manager / Hive OS Complete Fail

Aerohive Hive Manager / Hive OS Complete Fail
Posted Aug 28, 2014
Authored by Nick Freeman, Thomas Hibbert, Denis Andzakovic, Carl Purvis, Pedro Worcel, Scott Bell | Site security-assessment.com

Aerohive Hive Manager (Stand-alone and Cloud) versions greater than and equal to 6.1R3 and HiveOS version 6.1R3 suffer from bypass, code execution, cross site scripting, file disclosure, local file inclusion, arbitrary file upload, missing passphrase, and password disclosure vulnerabilities.

tags | advisory, arbitrary, local, vulnerability, code execution, xss, file inclusion, file upload
SHA-256 | cda32b36ba6f19559448f8007c162ba158f4b31d35722a7b7f4a3f40b5f0e800

Aerohive Hive Manager / Hive OS Complete Fail

Change Mirror Download
(    , )     (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq


Aerohive Hive Manager and Hive OS Multiple Vulnerabilities

Affected Versions: Aerohive Hive Manager (Stand-alone and Cloud) >= 6.1R3 and HiveOS 6.1R3
PDF: http://www.security-assessment.com/files/documents/advisory/Aerohive%20Hive%20Manager%20and%20Hive%20OS%20Multiple%20Vulnerabilities.pdf

| Description |

This document details multiple vulnerabilities found within the Aerohive Hive Manager and HiveOS software. These
vulnerabilities have been disclosed to the vendor on or before the 24th of April 2014.

-- Hive Manager Arbitrary File Disclosure --
Leveraging directory traversal, a malicious user can retrieve arbitrary files from the Hive Manager file system. As the
Tomcat instance serving the Hive Manager software runs as the root user, this vulnerability can be used to read any
file off the file system, including sensitive files such as /etc/shadow.

-- Hive Manager Arbitrary File Upload --
An authenticated malicious user may send a crafted post to the ‘upload’ servlet and upload arbitrary files. As the
upload servlet is protected by HTTP basic authentication, this requires the knowledge of the scpuser’s password.

-- Hive Manager Debugserver Code Execution --
It was discovered that an authenticated user may send a crafted request to the Hive Manager ‘debugserver’ servlet
and execute arbitrary commands on the Hive Manager server.

-- Hive Manager Multiple Password Disclosure --
Multiple methods within the Hive Manager web interface were found to expose sensitive information such as
usernames and passwords. A malicious entity may leverage these disclosures to further compromise the Hive

-- Hive Manager Reflected Cross Site Scripting --
Multiple Reflected Cross Site Scripting vulnerabilities were found within the Hive Manager software. These
vulnerabilities allow a malicious entity to potentially gain JavaScript execution within a legitimate user’s browser.
This is done with the aim of harming the user’s browser or hijacking their session.

-- Hive Manager SSH Keys Lacking Passphrase --
An SSH key was found on the Hive Manager file system without any passphrase set. This allows a malicious user
with access to the file system to gain unauthorised access to the system with root user privileges.

-- Hive Manager Subshell Bypass --
By using a crafted SSH command, a malicious user may gain root access to the Hive Manager with a fully functional
bash terminal, effectively bypassing the Aerohive subshell. This allows the malicious user to perform tasks on the
underlying CentOS Linux operating system, including the retrieval of private keys, passwords and other sensitive

-- Hive Manager Unauthenticated Arbitrary File Upload --
The Hive Manager HHMUploadServlet was found to suffer from an Unauthenticated Arbitrary File Upload
vulnerability. By sending a crafted packet to the servlet, a malicious entity is able to gain arbitrary code execution on
the Hive Manager server.

-- HiveOS Local File Inclusion --
Aerohive HiveOS was found to contain a Local File Inclusion Vulnerability within the web administrative interface.
The Local File Inclusion allows a malicious entity to control what files are included by the vulnerable PHP page. In
the event that the malicious entity is able to control an element on the file system, this results in arbitrary code
execution. As user controlled information is present within the log-files of the application, this is easily achievable.

-- HiveOS Password Disclosure --
Log files within the HiveOS operating system were found to disclose sensitive information such as usernames and
password. A malicious user may leverage this information to further compromise the Aerohive deployment or its

-- HiveOS Unauthenticated Firmware Upload --
Insufficient authorisation checking was found to be being performed on certain firmware upload functions. This
allows for the upload of a backdoored or otherwise malicious firmware by an attacker.

| Exploitation |

Detailed exploitation information and code will be released in December 2014.

| Workaround |

Update to the latest version of Hive Manager and HiveOS software including the cloud solutions.

| Credit |

Denis Andzakovic, Scott Bell, Nick Freeman, Thomas Hibbert, Carl Purvis, Pedro Worcel.

|About Security-Assessment.com|

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Login or Register to add favorites

File Archive:

October 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    0 Files
  • 2
    Oct 2nd
    22 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By