CVE-2020-16152
published 2021-11-14CVE-2020-16152: The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
35.05%
98.2th percentile
The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| extremenetworks | aerohive_netconfig | < 10.0r8a | 10.0r8a |
| extremenetworks | aerohive_netconfig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/login.php5
url/action.php5
path/tmp/messages
bytes
|3c 3f|php|20|system|28 24 5f|POST|5b 27|
bytes
|2f 2e 2e 2f 2e 2e|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.php5"; http.request_body; content:"|3c 3f|php|20|system|28 24 5f|POST|5b 27|"; nocase; fast_pattern; reference:cve,2020-16152; classtype:attempted-admin; sid:2035401; rev:2;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/action.php5"; http.request_body; content:"|2f 2e 2e 2f 2e 2e|"; fast_pattern; content:"/tmp/messages"; reference:cve,2020-16152; classtype:attempted-admin; sid:2035402; rev:2;)
- →Log poisoning stage: Watch for POST requests to /login.php5 containing PHP webshell payload bytes (<?php system($_POST[...]) pattern) in the request body — this is the log injection step of the two-stage attack.
- →LFI traversal stage: Watch for POST requests to /action.php5 containing directory traversal sequences (/../..) combined with the target log path /tmp/messages — this triggers execution of the poisoned log.
- →The exploit is two-stage: first poison /tmp/messages via a crafted login request, then trigger LFI via /action.php5 to include and execute the poisoned log as PHP. Both stages must be correlated for full detection. ↗
- →The LFI is enabled by PHP 5 string truncation vulnerabilities; monitor for null-byte or long-string truncation patterns appended to file path parameters in requests to /action.php5. ↗
- →Post-exploitation indicator: the NetConfig web application may hang/become unresponsive while a reverse shell session is active — unexpected application hangs on the management interface may indicate active exploitation. ↗
- ·Snort/Suricata rules target inbound traffic to $HOME_NET/$HTTP_SERVERS; ensure the Aerohive management interface IP is included in these variables for the rules (SID 2035401, 2035402) to fire.
- ·The Metasploit module's automatic log cleanup option is disabled by default because any modification to /tmp/messages (even via sed) may render the target temporarily unexploitable for over an hour — avoid aggressive log-clearing responses that could interfere with forensic collection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1
suricata·2022-03-07·CVSS 9.8
CVE-2020-16152 [CRITICAL] ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1
ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.php5"; http.request_body; content:"|3c 3f|php|20|system|28 24 5f|POST|5b 27|"; nocase; fast_pattern; reference:cve,2020-16152; classtype:attempted-admin; sid:2035401; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access,
Suricata
ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2
suricata·2022-03-07·CVSS 9.8
CVE-2020-16152 [CRITICAL] ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2
ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/action.php5"; http.request_body; content:"|2f 2e 2e 2f 2e 2e|"; fast_pattern; content:"/tmp/messages"; reference:cve,2020-16152; classtype:attempted-admin; sid:2035402; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.htmlhttps://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.htmlhttps://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001
2021-11-14
Published