← Advisories

Extreme Networks Aerohive HiveOS <=11.x Remote Denial of Service Exploit

Medium
Advisory ID
ZSL-2020-5566
Release Date
05 May 2020
Vendor
Extreme Networks - https://www.extremenetworks.com
Affected Version
<=11.x
CVE
CVE-2020-36907
Tested On
Hiawatha v9.6
Summary

Aerohive HiveOS is the network operating system that powers all Aerohive access points, based on a feature-rich Cooperative Control architecture. HiveOS enables Aerohive devices to organize into groups, or 'hives', which allows functionality like fast roaming, user-based access control and fully stateful application-aware firewall policies, as well as additional security and RF networking features - all without the need for a centralized or dedicated controller.

Description

An unauthenticated malicious user can trigger a Denial of Service (DoS) attack when sending specific application layer packets towards the Aerohive NetConfig UI. This PoC exploit renders the application unusable for 305 seconds or 5 minutes with a single HTTP request using the action.php5 script calling the CliWindow function thru the _page parameter, denying access to the web server hive user interface.

Proof of Concept
hiveosdos.shTXT
Disclosure Timeline
05.12.2019Vulnerability discovered.
23.01.2020Vendor contacted.
23.01.2020Vendor provides security e-mail.
23.01.2020Reported vulnerability to vendor.
23.01.2020Vendor responds asking more details.
23.01.2020Sent details to the vendor.
23.01.2020Vendor begins investigation, providing quick remediation to disable the web-server UI.
23.01.2020Replied to the vendor.
06.02.2020Asked vendor for status update.
06.02.2020Information has been passed to engineering team, waiting for status update.
10.02.2020Replied to the vendor.
25.02.2020Asked vendor for status update.
25.02.2020Vendor waiting for feedback from engineering team.
25.02.2020Replied to the vendor with scheduled advisory release date.
04.05.2020No response from the vendor.
05.05.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/157587
[2]https://www.exploit-db.com/exploits/48441
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/181649
[4]https://advisories.ncsc.nl/advisory?id=NCSC-2020-0367
[5]https://www.cve.org/CVERecord?id=CVE-2020-36907
Changelog
05.05.2020Initial release
08.05.2020Added reference [1] and [2]
10.05.2020Added reference [3] and [4]
24.03.2026Added reference [5]