-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory Number 10282014 CVE-2014-5342 CVE-2014-6620 CVE-2014-6621 CVE-2014-6622 CVE-2014-6623 CVE-2014-6624 CVE-2014-6625 CVE-2014-6626 CVE-2014-6627 TITLE Aruba ClearPass Multiple vulnerabilities (October 2014) SUMMARY Multiple vulnerabilities have been discovered in the Aruba ClearPass product family. Please upgrade to the latest release to resolve the discovered vulnerabilities. AFFECTED VERSIONS -- ClearPass 6.3.5 and earlier -- ClearPass 6.4.0 DETAILS Arbitrary command execution as root (CVE-2014-5342) ==================================================== A vulnerability is present in all versions of ClearPass prior to 6.3.5 and 6.4.1 that may permit an attacker to run arbitrary commands with the privilege level of 'root'. CVSS Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Aruba would like to thank Francisco Ribeiro for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.5 and 6.4.1 Unauthenticated Reflected XSS (CVE-2014-6620) ============================================= A number of pages are vulnerable to a reflected XSS attack. An attacker may be able to hijack the session of authenticated users, including administrative users. CVSS Score: 4.0 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:N) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.6 and 6.4.1 Unauthenticated Information Disclosure (CVE-2014-6621) ====================================================== A troubleshooting and diagnostics page for a ClearPass component was inadvertently left enabled in the production version of code. This could allow an unauthenticated user to retrieve informationm such as version number and module configuration. CVSS Score: 3.0 (LOW) (AV:N/AC:L/Au:N/C:N/I:P/A:N) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.5 and 6.4.1 Unauthenticated Information Disclosure (CVE-2014-6622) ====================================================== It may be possible for an unauthenticated user to determine the presence or absence of a particular file on the system. This information could be used for profiling, as part of preparation for an attack. CVSS Score: 3.0 (LOW) (AV:N/AC:L/Au:N/C:N/I:P/A:N) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.5 and 6.4.1 ClearPass Insight Cross-site Request Forgery (CVE-2014-6623) ============================================================ The Insight module of ClearPass improperly enforces tokens to prevent cross-site request forgery. This could permit an attacker to forge requests on behalf of a currently logged-in user. CVSS Score: 4.0 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:N) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.6 and 6.4.1 ClearPass Insight Privilege Escalation (CVE-2014-6624) ====================================================== A vulnerability in the Insight module of ClearPass allows an authenticated user to read any file on the system. The information discovered could then be used to elevate privileges. CVSS Score: 8.5 (HIGH) (AV:N/AC:M/Au:S/C:C/I:C/A:C) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.6 and 6.4.1 Authenticated Privilege Escalation (CVE-2014-6625) ================================================== An authenticated privilege escalation vulnerability exists in ClearPass Policy Manager which could permit to low-privilege user to elevate privileges up to the super-admin level. CVSS Score: 8.0 (HIGH) (AV:N/AC:L/Au:S/C:P/I:C/A:P) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.6 and 6.4.1 Improper authentication of some administrative actions (CVE-2014-6626) ====================================================================== Some administrative functions do not properly check for an authenticated session. Under certain conditions, this could allow an attacker to execute administrative actions without the need to authenticate as an administrator. CVSS Score: 8.3 (HIGH) (AV:N/AC:M/Au:N/C:P/I:C/A:P) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.6 and 6.4.1 Arbitrary command execution as root (CVE-2014-6627) =================================================== A second vulnerability is present which could allow an authenticated user to execute arbitrary commands as "root". The method is different than that described in CVE-2014-5342. CVSS Score: 7.5 (HIGH) (AV:N/AC:M/Au:S/C:P/I:C/A:P) Aruba would like to thank Luke Young of LinkedIn for researching and reporting this vulnerability. FIX: Fixed in ClearPass 6.3.5 and 6.4.1 SOLUTION Aruba Networks recommends that all customers running any release prior to 6.4.1 upgrade to 6.4.1 as soon as practical. Customers who wish to continue running ClearPass 6.3.x should upgrade to 6.3.6. +---------------------------------------------------- OBTAINING FIXED SOFTWARE Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. STATUS OF THIS NOTICE: Preliminary Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-10282014.txt Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 28-Oct-2014 / Initial release ARUBA SIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2014 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJUSWdgAAoJEJj+CcpFhYbZfXgH/jCuRkRmPt4ZtaIbZNjdmzJK gPoW9/fVRRI/1qxJD3E45zaKyDHsm6RQXpQT0155RoMyfEFyjcdfVusxUazsBi+i gLjHpYFK2txVs2rtP1xNNv6z+IAJbay0Bt1Nzvmp/YaqArcqESwasL8RlJB7Gcvt KZZm/nnxz0N9KswdP2YskER1wZu03qrg1VqMKS7RwrMnbfjyG5lWVkohjV/DED3D YstFxNVW1bSCuGXVDEdloM4HZ1hdPBkRS8BktNvRZDeajjQipSl9nLRhDfmaI0u0 SMru+Xu3kVGpj1AfgpGtcqPGkEbCz2NjkVW2KLAjziY0ci4LIkeOVgT3HI1Zsvs= =PvlQ -----END PGP SIGNATURE-----