Nessus plugins for Aerohive

  • 2
  • Idea
  • Updated 4 months ago
I would like Aerohive to work with Tenable and make plugins for Nessus that cover Aerohive products such as HiveOS, HiveManage on-premise, virtual appliance, etc. Should cover version vulnerabilities, insecure configurations, and compliance auditing.

Currently there are no Nessus plugins with the word 'Aerohive' in the name and not much can be garnered from scanning an Aerohive Access Point even with credentials.

There are plugins for several competitors such as Aruba, Ubiquiti, Cisco, and even Apple. Our company follows the CIS20, due to controls 3 and 4, I have increasing pressure to choose vendors than we can scan, audit, and harden well.
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes

Posted 9 months ago

  • 2
Photo of Jason Davis

Jason Davis

  • 1 Post
  • 1 Reply Like
+1.  We're also customers of Aerohive and Tenable needing this Nessus plugin.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Fraser, Jason,
My apologies for not being present out here on HiveNation as much as I have in the past. This thread was brought to my attention this week as needing a response.

Tenable's Nessus is a security scanner. Plugins are written by Tenable engineers in response to specific vulnerabilities. The lack of any plugins with Aerohive's name is A Good Thing, as that indicates there are no known public vulnerabilities within proprietary Aerohive code (and I can assure you as Security team lead for Aerohive that there are no known non-public vulnerabilities, either).

I downloaded and reviewed CSC v7.0. As expected, like PCI 3.0, it mostly covers procedural behaviors and not product-specific requirements (things like "keep asset inventory current", and "remove unauthorized devices"), although in many cases our product capabilities can be used to assist in meeting the requirements (ie using PPSKs to meet the "use unique passwords" requirement).

if approached by Tenable we will work with them, but I see no reason right now for us to reach out to them.
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes
I'm sorry but I feel that your response is dismissive, the thinking faulty, and that you have missed the point in several ways.
  1. The lack of Nessus plugins for Aerohive is not a good thing. It indicates that Aerohive products have not reached a significance threshold wherein Tenable starts writing them without your assistance. (As mentioned above, Nessus plugins exist for your competitors products.)
  2. While there may be no known vulnerabilities in the shipping code, documented vulnerabilities have existed in previous versions and almost certainly exist undiscovered in current versions. (Nobody knew KRACK existed until it was researched and disclosed.)
  3. In general, vulnerability scanners discover issues already addressed and reported by the manufacturer but not addressed in the scanned environment.
  4. Most likely, many Aerohive customer sites still have older code deployed and the findings of a vulnerability scan would motivate them to upgrade to current, fixed, supported code.
  5. The presence of and announcements such as shows the need for having even simple plugins doing HiveOS or HiveManager on-premise version comparison.
  6. The CSC (specifically v7 control 3.2) calls for authenticated scans wherein the scanner logs in (usually with SSH in network devices) to the scanned device and makes deterministic evaluations of vulnerabilities based on self-reported device details (such as software versions or configuration settings). Today, no such evaluation can be made of Aerohive products with Nessus.
That said, I will open a case with Tenable requesting plugins for Aerohive. (I may have done this before but I can't find the ticket.)

Thinking on this, a security audit tool in HiveManager, that performed a similar function would be a welcome addition. Given how tightly integrated Aerohive products are, Aerohive should have all the data required to highlight vulnerable code versions still in use on network devices, insecure configurations (like Telnet), etc