-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2015-005
CVE: CVE-2015-1389, CVE-2015-1392, CVE-2015-1550, CVE-2014-6628, CVE-2015-1551
Publication Date: 2015-03-25
Status: Confirmed, Fixed
Revision: 1



Title
=====
ClearPass Policy Manager Multiple Vulnerabilities
 

Overview
========

Multiple vulnerabilities exist in ClearPass Policy Manager. One of these has a severity
of "high".


Affected Products
=================

 -- ClearPass Policy Manager (all versions)


Solution
========

Upgrade to one of the following software versions:
  -- ClearPass Policy Manager 6.5.0 or later


Details
=======

In order to protect customer networks, Aruba is providing no specific 
details in the initial advisory.  In accordance with our vulnerability
disclosure policy, Aruba will update this advisory in 60 days to provide
full details of each vulnerability.


  Cross-site Scripting Permits Script Execution Inside Administrative Session (CVE-2015-1389)
  -------------------------------------------------------------------------------------------
  A cross-site scripting vulnerability permits an unauthenticated user to inject script code
  that could be executed by a ClearPass administrator while inside an administrative session.

  Severity: High
  Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79)
  CVSSv2 Overall Score: 7.5
  CVSSv2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered by Cristiano Maruti (@cmaruti) and reported 
  through the BugCrowd managed bug bounty program.  The vulnerability was independently 
  discovered and reported by Stefan Lubienetzki of doIT Solutions GmbH.

  Fix: Fixed in 6.4.5, 6.5.0


  Authenticated Cross-Site Scripting - Multiple Vulnerablities (No CVE assigned)
  ------------------------------------------------------------------------------
  Multiple cross-site scripting vulnerabilities exist within ClearPass that could be used
  by one authenticated administrative user to inject script code into the session of
  another administrative user.

  Severity: Medium
  Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79)
  CVSSv2 Overall Score: 5.5
  CVSSv2 Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:N)

  Discovery: These vulnerabilities were discovered and reported through the BugCrowd managed bug
  bounty program.

  Fix: Fixed in 6.4.5, 6.5.0


  Authenticated SQL Injection - Multiple Vulnerabilities (CVE-2015-1392)
  ----------------------------------------------------------------------
  Multiple SQL injection vulnerabilities exist within ClearPass.  An administrative user
  with a lower privilege level could leverage these vulnerabilities to read information
  that should only be available at a higher privilege level.

  Severity: Low
  Vulnerability Class: Improper Neutralization of Special Elements used in an SQL Command (CWE-89)
  CVSSv2 Overall Score: 3.5
  CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug
  bounty program.

  Fix: Fixed in 6.4.5, 6.5.0


  Remote Code Execution through Pathname Traversal (CVE-2015-1550)
  ------------------------------------------------------------------
  This vulnerability permits an authenticated administrative user to execute arbitrary 
  uploaded code on the underlying operating system with the privilege level of the web
  server.

  Severity: Medium
  Vulnerability Class: Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
  CVSSv2 Overall Score: 4.6
  CVSSv2 Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug
  bounty program.  

  Fix: Fixed in 6.4.5, 6.5.0


  Remote Code Execution (CVE-2014-6628)
  -------------------------------------------------------------------
  This vulnerability permits an authenticated administrative user to execute arbitrary 
  uploaded code on the underlying operating system with the privilege level of the web
  server.

  Severity: Medium
  Vulnerability Class: Improper Control of Generation of Code (CWE-94)
  CVSSv2 Overall Score: 6.0
  CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered and reported by Luke Young and Cory Scott
  of LinkedIn.

  Fix: Fixed in 6.5.0.  Due to the widespread nature of the changes, this cannot be fixed in
  6.4.x.


  Information Disclosure through Pathname Traversal (CVE-2015-1551)
  ------------------------------------------------------------------
  This vulnerability permits an authenticated administrative user to read information
  which he or she may not be authorized to read, by uploading content which exploits
  a bug that fails to enforce proper file path restrictions.

  Severity: Low
  Vulnerability Class: Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
  CVSSv2 Overall Score: 3.5
  CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

  Discovery: This vulnerability was discovered by Andrew Leonov (@4lemon) and reported 
  through the BugCrowd managed bug bounty program.

  Fix: Fixed in 6.4.4, 6.5.0


Workarounds
===========

 - Do not allow unprivileged users to access administrative interfaces of the ClearPass server.
   This can be accomplished by enforcing firewall rules that permit administrative access to
   ClearPass only from designated network locations.
 - Most of the reported vulnerabilities involved "insider" attacks where an administrative user
   exploits a vulnerability against another administrative user.  In environments where all
   ClearPass administrators are equally trusted and have equal privilege levels, these
   vulnerabilities may take on a lower priority.  If upgrading immediately is not feasible, 
   consider temporarily suspending administrative access for lower-privilege admininstrators.


Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

      Revision 1.0 / 2015-Mar-25 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2015 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJVDCuOAAoJEJj+CcpFhYbZqkIIAK7PdXv7ZmTOeuNrp2iifvz/
7+cFTrpN5cjZJCrv+MS66Ay1d9ANedRqgcqw5YbEW4Z7FKdL+Kgdrsrfuj7egvg+
LZ8MVNT8+vnGlpaGJbILLJbxd3YLlG8nqxYBEZjNQY4Rk78eI7CxgBeTx2061+7B
2GAq1RdTvDxYLM2BxasX1SBbTRK0nbuBTU+mT2twRrJlWlw5msHNulErjcGu/3pN
9lZsIpqWLTagScZ3f109WL4ZN3q0335JEhn/kF1PWOE+sojbXbruN10Nkup1mKwt
jcAE0j4nmYnjsDPOXAeY0O09Lo80dVtWKFVcNtRynaVI3NlwYexCCU0qiprMLNw=
=Qny1
-----END PGP SIGNATURE-----