Aerohive not vulnerable to Heartbleed

  • 1
  • Announcement
  • Updated 4 years ago
The “Heartbleed” attack exploits a flaw in specific versions of OpenSSL. Aerohive uses OpenSSL in our corporate web servers, service providing web portals, and in our product that have embedded web servers. We have examined these products and we believe our corporate web site, products and service delivering portals are all NOT VULNERABLE.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Cool! :)

Presumably this means though that where OpenSSL is being used in the embedded sense it is of a previous stable branch without TLS 1.2 support therefore? Any plans to update to the 1.0.1 branch?

CWPs in HiveOS have, perhaps, a bigger concern when used against a RADIUS server in certain deployment scenarios which is that plain PAP, CHAP or CHAPv2 is used completely outside of the protection of a TLS-based EAP type...
(Edited)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Hi Nick,
Correct, we are still using an older stable (and non-vulnerable) branch of OpenSSL within HiveOS. 

I cannot comment on future plans for upgrading the version of OpenSSL used within our products. We are aware of your concerns about CWP, and we still intend to address them in a future release.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
After reviewing a few bits of kit over the last few hours, it seems that quite a few companies that embed OpenSSL have, quite by chance, escaped being vulnerable to heartbleed by having a previous stable branch deployed (still supported/maintained). Palo Alto being one, for example. Lucky in one sense, but it's disappointing that TLS 1.2 is still not seeing the deployment that it should.

(I should also definitely say that the CWP issue is one that many Enterprise-class access point vendors have at this point in time. I only mention it here for what I feel is the the needed perspective that things are clearly more at risk where SSL/TLS is not being used to protect data in the first place.)
(Edited)
Photo of James M

James M

  • 7 Posts
  • 0 Reply Likes
Does Aerohive provide this info in a press release or something more official then a blog post?

Thanks
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Hi James,
No, we have not, at least not yet.

I'm in the process of working with our IT and marketing folks to revise http://www.aerohive.com/support/report-security-vulnerability to become a security portal that contains all the info currently there along with a table of any issued security advisories. 

Once those changes have been made, I will publish a security advisory reiterating what's up above that you can point your management, auditors, and/or customers to.
Photo of James M

James M

  • 7 Posts
  • 0 Reply Likes
Thanks Mike!