-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2016-008 CVE: CVE-2016-2033 Publication Date: 2016-May-11 Status: Confirmed, Fixed Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Multiple vulnerabilities exist in ClearPass Policy Manager. Given the severity of these issues, customers are urged to update their software immediately. Affected Products ================= -- ClearPass Policy Manager up to, but not including, 6.5.6 and 6.6.0 Details ======= Because all vulnerabilities described in this advisory are fixed in the same set of software releases, and are not separable, a single CVE number (CVE-2016-2033) is being used to track the entire set. Unauthenticated SQL Injection ----------------------------- A SQL injection vulnerability exists that permits an unauthenticated user with network access to a ClearPass server to obtain arbitrary information from internal databases. This vulnerability leads to complete system compromise. Severity: CRITICAL CVSSv2 Overall Score: 9.8 CVSSv2 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through the BugCrowd managed bug bounty program. FIX: Fixed in 6.5.6 and 6.6.0 Unauthenticated Arbitrary File Read via XXE ------------------------------------------- A vulnerability related to XML External Entity processing (XXE) allows an unauthenticated user with network access to a ClearPass server to read any arbitrary file from the filesystem. This can be used to achieve complete system compromise. Severity: HIGH CVSSv2 Overall Score: 8.1 CVSSv2 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through the BugCrowd managed bug bounty program. FIX: Fixed in 6.5.6 and 6.6.0 Authenticated Remote Command Execution as 'root' ------------------------------------------------ Multiple ClearPass web interfaces do not perform proper input validation, which allows authenticated administrative users of any privilege level to inject commands that will be executed as 'root'. This can be used to achieve complete system compromise. Severity: HIGH CVSSv2 Overall Score: 7.5 CVSSv2 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through the BugCrowd managed bug bounty program. FIX: Fixed in 6.5.6 and 6.6.0 Authenticated SQL Injection --------------------------- Multiple SQL injection vulnerabilities exist that permit an authenticated administrative user of any privilege level to retrieve arbitrary information from the database and execute stored procedures with database privileges. This vulnerability can be used in combination with other vulnerabilities to achieve complete system compromise. Severity: HIGH CVSSv2 Overall Score: 7.5 CVSSv2 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through the BugCrowd managed bug bounty program. FIX: Fixed in 6.5.6 and 6.6.0 Privilege escalation -------------------- Multiple privilege escalation vulnerabilities exist that permit an authenticated administrative user of any privilege level to escalate privileges to "SuperAdministrator". Once escalated, the user may exercise any administrative action. Severity: HIGH CVSSv2 Overall Score: 7.1 CVSSv2 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through the BugCrowd managed bug bounty program. FIX: Fixed in 6.5.6 and 6.6.0 Improper Software Update Signature Validation --------------------------------------------- ClearPass software updates are digitally signed. Because of incorrect parameter usage in the signature validation function, it is possible for an attacker to create a forged software update that ClearPass would accept as valid. Severity: HIGH CVSSv2 Overall Score: 7.1 CVSSv2 Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through the BugCrowd managed bug bounty program. FIX: Fixed in 6.5.6 and 6.6.0 Resolution ========== Update ClearPass to version 6.5.6 or higher, or version 6.6.0 or higher. Revision History ================ Revision 1 / 2016-May-11 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXMSw4AAoJEJj+CcpFhYbZoRQH/AyAab8vjtTcwhDw6evmux1y CQ0TdWa1ZZKMxzX1OLQTE6McHfWTy7YLpxr8L+NWtxuSmCegKTfS6yVDhr37oV5F k9eq3vIvQJ+zuXWnwy8GDenZg2t0/yNbbwY7UztriGe4MgjrAv+aQNVA6uOswl/H snZrzKsTuXg99tI/8zMCTptu204MbKrjYMvzoFlzn1UCbGO0smCQEaTSTt4bagx9 1ByBoyJie4HN2NtypAWYhe+8u9kS7aTPcuCu4nlnQDZSCznPLL2vuI9kIZNdgdBl YqyavpssdytPEI/TjSZQuQheunGZXnowFE7V/W4GONKUQ1vLDUYvxKv532eBN0k= =EmS2 -----END PGP SIGNATURE-----