Aura Information Security Finds Critical Vulnerability In Aerohive / Extreme Networks Wireless Access Points

A researcher at New Zealand cybersecurity firm Aura Information Security has found a critical security vulnerability in the widely used Aerohive (now Extreme Networks) wireless access points.

Aura Consultant Lachlan Davidson not only discovered the security flaw but was able to develop an exploit to gain full remote control over the devices in his research - demonstrating the potential for an attacker to break into networks that use these access points, steal network traffic and maintain long-term access.

The vulnerability was disclosed under a responsible disclosure policy, and a patch has been released for some models.

Aerohive, a manufacturer of wireless networking equipment for enterprise customers, was acquired by American global technology company Extreme Networks in 2019.

The company’s devices are used both in New Zealand and globally for a wide range of wireless networking solutions in enterprise and high-performance environments – such as schools, universities, hospitals, offices, and government organisations.

Davidson has detailed his discovery and exploitation of the vulnerability in a research article.

“This is a particularly nasty flaw - and as far as I can tell, there’s no way to disable the vulnerable service. We’d advise businesses using these devices to urgently patch these as soon as possible, before they can be exploited,” says Davidson.

Davidson says his curiosity was piqued after seeing Aerohive devices in many enterprise settings, as well as previous research by fellow Aura consultant Jordan Smith into the functionality of the access points.

“A colleague of mine had documented some vulnerabilities he had found while investigating the Aerohive devices. Given their widespread use in corporate networks within New Zealand and prior instances of security concerns, I was keen to conduct some further research of my own.”

In his day-to-day work as a security consultant, Davidson is often charged with figuring out how a piece of technology or software can be broken down and compromised. In penetration testing engagements, he works with clients to test their systems and applications from an adversarial perspective, to see if he can uncover security flaws or weaknesses. These are then reported back to the customer, so they can be remedied before a malicious hacker is able to exploit these. Aura also allows consultants to dedicate up to 20% of their time to perform research, to hone their skills while also uncovering new unknown vulnerabilities.

Continuing from Smith’s research, Davidson purchased some second-hand Aerohive devices from TradeMe and began experimenting with them at home. It wasn’t long before he found some concerning anomalies that could be leveraged to compromise the device.

He then investigated this further, creating a proof of concept, before alerting Extreme Networks of the security vulnerabilities he discovered so that they could issue a patch to resolve the issue.

“Network devices are often attractive to threat actors, as they act as entrances into your network. Once a hacker gains access, they could dwell there for some time – exploring your network, intercepting traffic and performing attacks against the rest of your infrastructure,” says Davidson.

“Wi-Fi access points can be valuable targets, as they often allow untrusted devices to connect to Guest Wi-Fi, but also act as gatekeepers for your employees to access sensitive corporate network resources – that is what makes this security vulnerability quite concerning.”

The fully unauthenticated buffer Overflow Remote Code Execution (CVE-2023-35803) is understood to affect all Aerohive/Extreme Networks access points running HiveOS/Extreme IQ Engine before 10.6r2.

Extreme Networks have issued a security advisory and released a patch (10.6r2) for their newer series of devices. A patch for some older devices is targeted for October 2023. The specific models have been listed in the security advisory.

Aura recommends all organisations using Aerohive/Extreme Networks devices take steps to mitigate any risk by patching or taking other steps to defend against possible exploitation.

More information:

Research in detail:

Bee-yond Capacity: Unauthenticated RCE in Extreme Networks/Aerohive Wireless APs - CVE-2023-35803 · Aura Research Division (aurainfosec.io)

Security Advisory and 10.6r2 patch notes:

https://extremeportal.force.com/ExtrArticleDetail?an=000112742

https://documentation.extremenetworks.com/release_notes/IQ_Engine/10.6r2/GUID-4C2B5E2B-5624-4730-8F60-A0B70FAEA3C4.shtml ("Resolved an unauthenticated buffer-overflow based remote code execution, which would allow an attacker to gain full control (as root) on an AP.")

© Scoop Media