-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2015-009
CVE: CVE-2015-3653, CVE-2015-3654, CVE-2015-3655, CVE-2015-3656, CVE-2015-3657, CVE-2015-4649, CVE-2015-4650
Publication Date: 2015-08-18
Status: Confirmed, Fixed
Revision: 1



Title
=====
ClearPass Policy Manager Multiple Vulnerabilities
 

Overview
========

Multiple vulnerabilities exist in ClearPass Policy Manager. Multiple vulnerabilities in this
advisory have a severity of "high".  Customers are encouraged to upgrade to ClearPass 6.4.7 
or ClearPass 6.5.2 as soon as possible.


Affected Products
=================

 -- ClearPass Policy Manager - all versions prior to 6.4.7
 -- ClearPass Policy Manager 6.5.x prior to 6.5.2


Solution
========

Upgrade to one of the following software versions:
  -- ClearPass Policy Manager 6.4.7 or later
  -- ClearPass Policy Manager 6.5.2 or later
     Note: A patch for ClearPass 6.5.2 exists to address an OpenSSL vulnerability
           previously announced in ARUBA-PSA-2015-008.  If upgrading to ClearPass
           6.5.2, please make sure to apply the patch after upgrading.  See
           http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-008.txt for
           details.


Details
=======

In order to protect customer networks, Aruba is providing no specific 
details in the initial advisory.  In accordance with our vulnerability
disclosure policy, Aruba will update this advisory in 60 days to provide
full details of each vulnerability.


  Authenticated Administrator May Overwrite Arbitrary Files (CVE-2015-3653)
  -------------------------------------------------------------------------
  Incorrect permission checking may make it possible for an authenticated ClearPass
  administrator to overwrite arbitrary files within the underlying operating system.
  The flaw could allow a successful privilege escalation or denial of service attack.

  Severity: Medium
  CVSSv2 Overall Score: 4.6
  CVSSv2 Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug
  bounty program.  

  Fix: Fixed in 6.4.7, 6.5.2


  Authenticated Administrator May Escalate Privilege to "root" (CVE-2015-3654)
  ----------------------------------------------------------------------------
  Through a sequence of operations, a ClearPass administrator of any privilege level may
  be able to gain access to the underlying operating system with the privilege level of
  "root".  Once this privilege level is gained, the user would have full control of the 
  entire ClearPass system.

  Severity: High
  CVSSv2 Overall Score: 8.5
  CVSSv2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug
  bounty program.  

  Fix: Fixed in 6.4.7, 6.5.2


  Cross-Site Request Forgery (CVE-2015-3655)
  ------------------------------------------
  ClearPass implements a randomized session token to prevent cross-site request forgery (CSRF)
  attacks.  A defect in the implementation permits certain URLs to be accessed without
  proper enforcement of the anti-CSRF token.  This could allow an attacker to gain control
  of an administrative session through a CSRF attack.  

  Severity: Medium
  CVSSv2 Overall Score: 5.1
  CVSSv2 Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug
  bounty program.  

  Fix: Fixed in 6.4.7, 6.5.2


  Privilege Escalation through Failure to Check Authorization (CVE-2015-3656)
  ---------------------------------------------------------------------------
  ClearPass supports different privilege levels for administrators, such that some operations
  are prohibited for lower-level administrators.  A failure to properly enforce authorization
  checks could permit a lower-level administrator to carry out certain operations within 
  ClearPass which should be restricted to a higher-level administrator.

  Severity: Medium
  CVSSv2 Overall Score: 6.1
  CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug
  bounty program.  

  Fix: Fixed in 6.4.7, 6.5.2


  Persistent Privilege Escalation from "Network Admin" to "Super Admin" (CVE-2015-3657)
  -------------------------------------------------------------------------------------
  ClearPass supports different privilege levels for administrators, such that some operations
  are prohibited for lower-level administrators.  A defect permits a lower-level administrator
  to permanently grant himself/herself "Super Admin" rights.

  Severity: High
  CVSSv2 Overall Score: 7.1
  CVSSv2 Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug
  bounty program.  

  Fix: Fixed in 6.4.7, 6.5.2


  Authenticated Administrator May Escalate Privilege to "root" (CVE-2015-4649)
  ----------------------------------------------------------------------------
  A ClearPass administrator of any privilege level may be able to gain access to the 
  underlying operating system with the privilege level of "root".  Once this 
  privilege level is gained, the user would have full control of the 
  entire ClearPass system. This is a separate vulnerability from CVE-2015-3654 with a
  different attack vector.

  Severity: High
  CVSSv2 Overall Score: 8.5
  CVSSv2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)

  Discovery: This vulnerability was discovered and reported by John Fleming of 
  Mission Critical Systems.

  Fix: Fixed in 6.4.7, 6.5.2


  Unauthenticated Access to Underlying Operating System as "root" (CVE-2015-4650)
  -------------------------------------------------------------------------------
  A vulnerability exists which allows an unauthenticated user to gain shell access to the
  ClearPass underlying operating system with the privilege level of "root".  Using
  this vulnerability, an attacker can gain complete control of the ClearPass system.

  Severity: High
  CVSSv2 Overall Score: 9.3
  CVSSv2 Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

  Discovery: This vulnerability was discovered and reported by Telstra and Datacom TSS.

  Fix: Fixed in 6.4.7, 6.5.2


Workarounds
===========

 - Do not allow unprivileged users to access administrative interfaces of the ClearPass server.
   This can be accomplished by enforcing firewall rules that permit administrative access to
   ClearPass only from designated network locations.
 - Many of the reported vulnerabilities involved "insider" attacks where an administrative user
   exploits a vulnerability against another administrative user.  In environments where all
   ClearPass administrators are equally trusted and have equal privilege levels, these
   vulnerabilities may take on a lower priority.  If upgrading immediately is not feasible, 
   consider temporarily suspending administrative access for lower-privilege admininstrators.


Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

      Revision 1.0 / 2015-Aug-18 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2015 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVzcmUAAoJEJj+CcpFhYbZ+IwH/380FaXo2gHQUaKQS9CDQ+5N
XcYbWzVavj9z9bzBRDLJNS/ibTp89ZYQyvQFkHWXynanRmHgdL7afpEmXfYOPFh+
dpt0PRWmfbQXQ3Q486H/+f0Qz340zT3a+0QhSGhfsV4hyirKwC802+AbJMR1Cx+I
fdkPMaO3spym4TH86lPnjWmGdaceBrvCasnb6o9fUvg3SgZwqeuzZJQBbwqBJi72
GoRhcEZiFc9XcxcWjywAZ8OuU/D34khWJgxu/NDafSinJ/w4MKjYZp9XDj85wecG
6ly2iig/MpuaNZEG7MQUS66UqTxhkanCSDLzYDjqysZ/Z9b6N6w3j1ROp/fLM/k=
=B5If
-----END PGP SIGNATURE-----