-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ADVISORY NUMBER 050813
CVE-2013-2269 
 
 
TITLE
 
Sponsor Confirmation Approval Bypass Vulnerability in Aruba Networks ClearPass Guest product
 

SUMMARY
 
When customers use the default settings for Sponsorship Confirmation, there exists a possibility
that anyone – not just the sponsor – could approve a request.  This could allow unauthorized 
access to the guest network and whatever access it may have inside the organization.
 

AFFECTED VERSIONS
 
- -- ClearPass 5.X, 6.0.1, 6.0.2
- -- Amigopod/ClearPass Guest 3.0 thru 3.9.7
 
 
DETAILS
 
Amigopod/ClearPass Guest provides a mechanism for guests to request network access through a 
captive portal.  An email is sent to a sponsor i.e. a company employee, who is then able to 
approve or deny the guest request for network access through a page hosted on Amigopod/CP Guest.
Unless the request is approved, the guest should not have any network access outside of the 
configured walled garden on the NAS device.

After a guest requests network access, they are directed to a default holding page hosted by
Amigopod/CP Guest.  With default settings, this page contains a link to download the account 
details for use when the guest account is approved.  Through the use or parameter manipulation, 
this link can be used to return to an attacker additional information, including details of 
the sponsor approval page for that specific guest request.  The attacker could then browse to 
the sponsor approval page and approve their own request.

 
DISCOVERY

This vulnerability was discovered by Mukul Khullar from the Advanced Security Center at Ernst & Young.


IMPACT
 
The attacker would have access to the network resources allowed by the 'Guest' Role/VLAN on the NAS.  
Typically this would only be Internet access but could potentially include more confidential internal 
network resources if the sponsorship approval process was used for contractors, auditors or guest 
with elevated network privileges.  Even with only Internet access, an attacker could launch additional 
attacks against either internal or external hosts masking as a legitimate guest.

CVSS v2 BASE METRIC SCORE: 3.4 (AV:A/AC:L/Au:N/C:N/I:P/A:N)
 
 
WORKAROUNDS
 
Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical or 
disable sponsor based approval
 
 
SOLUTION
 
Aruba Networks recommends that all customers apply the Amigopod 3.9.7 or ClearPass Guest 6.0.2 
February 2013 cumulative patch as soon as practical. 
 

   
+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website: 
	http://www.arubanetworks.com/support. 
   
Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

	+1-408-754-1200 (toll call from anywhere in the world)

	e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or 
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at 

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-050813.asc

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-050813.asc


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY

      Revision 1.0 / 05-08-2013 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at 

http://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/


(c) Copyright 2013 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAlGLF9IACgkQp6KijA4qefXS/gCgwUEzN7yMaB3tuUpR0C9awB0y
3jMAoMiEBk8OpdpwpVOa8xMhOBnqujWw
=yrGR
-----END PGP SIGNATURE-----