-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ADVISORY NUMBER 050214 +------------------------------------------------------------------------------ Vulnerability #1 TITLE Privilege Elevation Vulnerability in ClearPass Policy Manager for Authenticated Network Users (CVE-2014-2071) SUMMARY If ClearPass is configured to use tunneled and non-tunneled authentication methods within a single policy construct (Service), a network user with independent inner and outer identities could receive elevated network privileges while using a tunneled EAP method to connect to the network. AFFECTED VERSIONS -- ClearPass 6.1.X, 6.2.X DETAILS Previously for EAP based authentication, ClearPass would first use the Outer Identity for authentication instead of the Inner Identity. If a user has previously successfully authenticated to the network through ClearPass, an attacker could potentially change the Outer Identity and get escalated network privileges associated with a different username and role. IMPACT If ClearPass is configured to use tunneled and non-tunneled EAP methods within a single policy construct, an attacker with valid credentials can advertise independent inner and outer identities within a tunneled EAP method to request elevated access privileges on the network. CVSS v2 Base Score:4.1 (MEDIUM) (AV:A/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C) WORKAROUNDS Do not use tunneled and non-tunneled EAP methods in a single Service. Use separate Services to handle tunneled EAP methods and non-tunneled EAP methods. If an existing Service carries tunneled and non-tunneled authentication methods, investigate the feasibility of separating these authentication methods into separate Services. Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. SOLUTION Aruba Networks recommends that customers running the affected versions apply the appropriate ClearPass 6.1.4.61696 or 6.2.5.61640 patches released February 2014, as soon as practical. Customers using ClearPass versions prior to 6.1 are urged to upgrade to ClearPass Policy Manager 6.2.5.61640 or ClearPass Policy Manager 6.3.0.61712 as soon as practical. +------------------------------------------------------------------------------ Vulnerability #2 TITLE Privilege Elevation Vulnerability in ClearPass Policy Manager for Authenticated System Administrators (CVE-2014-2593) SUMMARY An authenticated system administrator accessing the ClearPass Policy Manager CLI through SSH or console can receive elevated privilege into the shell by crafting an argument-string to the system command that needs to be executed. AFFECTED VERSIONS -- ClearPass 6.1.X, 6.2.X, 6.3.0 IMPACT A valid system administrator with malicious intent can disrupt authentication activity by denying authentication services or modifying configuration on the ClearPass Policy Manager without appropriate audit trails via elevated shell access. CVSS v2 Base Score:8.5 (HIGH) (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C) DETAILS The vulnerability consists of an input validation flaw in command parsing through the CLI. This flaw allowed authenticated users to inject system commands and get escalated privileges. With this escalated privilege, attackers could execute arbitrary code (with ‘root’ privileges) that could be used to compromise the system, including locally stored data or data flowing through it. That information could potentially be used to compromise additional systems. WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. SOLUTION Aruba Networks recommends that all customers apply the appropriate ClearPass 6.1.4.61696, 6.2.5.61640 or 6.3.0.61712 patches released February 2014, as soon as practical. Customers using ClearPass versions prior to 6.1 are urged to upgrade to ClearPass Policy Manager 6.2.5.61640 or ClearPass Policy Manager 6.3.0.61712 as soon as practical. +------------------------------------------------------------------------------ MISCELLANEOUS * Tunneled EAP Methods supported by ClearPass Policy Manager EAP-PEAP, EAP-FAST, EAP-TTLS * Non-Tunneled EAP Methods supported by ClearPass Policy Manager EAP-MSCHAPv2, EAP-GTC, EAP-TLS, EAP-MD5 +------------------------------------------------------------------------------ OBTAINING FIXED SOFTWARE Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. REVISION HISTORY Revision 1.0 / 05-02-2014 / Initial release Revision 1.1 / 10-09-2014 / Full disclosure release ARUBA SIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2014 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJUNvvJAAoJEJj+CcpFhYbZiPMIAJbgRntVTplYENwXtj6gzvjj S1Kp1PfaAECS2iPBzgyAWvxKoaQUMdGZTAuUUSlIbBFNJcIe9h0GZq3UcU37YJ1W GDNJrqFrpKFHn056YObeXFMrDfKMl4+H54bm2LiNVrCyIyfLMPE2CvnnzL/cYMaI BsFnJPn3HjRJ0VJOI/sSxWnGHyswq36tU+R8ysEpmMbZFxmT30xJhpQ2bPNH32l3 nQRkt8Ee8AktNFNui1sUP2Bcbbo2RMbTLMqyF98xdD5kQLY5QTQCj5VV/14kfasd hxraj7d1twf6tzqKjo/rMu5esoBET37izzUTTzw933fAAZgT9UhE8F0W6CwEDbQ= =VBOP -----END PGP SIGNATURE-----