bash shellshock patch for HiveManager 6.2r1a

  • 2
  • Question
  • Updated 4 years ago
  • Answered
  • (Edited)
AeroHive released a patch for the bash shellshock vulnerability, which affects their on-premise HiveManagers, but not the APs or cloud-based HM.

Here is their security release bulletin:

http://www.aerohive.com/support-security-bulletins/psa-20140926-001.html

Patch can be downloaded here:

https://support.aerohive.com/secur/download_page?id=666

To apply the patch you follow the same steps you would if you were applying a full version upgrade using a local file:
  1. Make sure your HiveManager is running release 6.2r1a
  2. Download the appropriate patch file for your system
  3. Backup your HM
  4. Login to the HiveManager with the local admin account
  5. Go to Home tab > Administration > HiveManager Operations > Update Software
  6. Select "File from local host" > click the Browse button > select the patch file on your computer
  7. Click the OK button
  8. When the patch has been uploaded, manually reboot the HM
To confirm bash is no longer vulnerable you can run SSH commands remotely from another server.

Step 1) Run this command from another system with SSH access to the HiveManager:

ssh user@hivemanager.company.com "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test""

Look for this output that confirms the system is no longer vulnerable:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'

Step 2) Run this command from another system with SSH access to the HiveManager:

ssh user@hivemanager.company.com "cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo"

Look for this output that confirms the system is no longer vulnerable:

cat: /tmp/echo: No such file or directory

Details for checking for vulnerability were taken from this article:

https://access.redhat.com/articles/1200223
Photo of JimmyBoJingle

JimmyBoJingle

  • 9 Posts
  • 3 Reply Likes

Posted 4 years ago

  • 2
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thanks for saving us from having to post this ourselves!

FYI, the on-premises HiveManager patch is applicable to both HiveManager 6.1r6a and HiveManager 6.2r1a. 
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Thanks Aerohive
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
@Aerohive:

I have patched all our HMVA installations that were either on 6.1r6a or 6.2r1a, instead of upgrading all to 6.2r1a first (need a bigger maintenance window for this).

Question: Can we expect an updated 6.2 version soon, e.g. 6.2r1b, that has the shellshock-patch already inside? In that case I would wait a few more days until the new version is available...

Thanks,
carsten
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Carsten,
No, we don't plan at this time to release a new 6.2r1 image. We have version 6.3r1 in the works, expected to release in about a month, that will incorporate the newest version of Bash.