-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2016-009 CVE: CVE-2016-2107, CVE-2016-2118, CVE-2016-2034 Publication Date: 2016-Jun-01 Last update: 2016-Jun-04 Status: Confirmed, Fixed Revision: 3 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Multiple vulnerabilities exist in ClearPass Policy Manager. Given the severity of these issues, customers are urged to update their software immediately by applying a hotfix patch. Affected Products ================= -- ClearPass Policy Manager 6.5.6 and earlier -- ClearPass Policy Manager 6.6.0 Details ======= OpenSSL Padding Oracle in AES-NI CBC MAC check (CVE-2016-2107) -------------------------------------------------------------- The OpenSSL team published a security advisory on 03-May-2016 containing multiple vulnerabilities: https://www.openssl.org/news/secadv/20160503.txt. ClearPass, when running directly on Intel AES-NI compatible processors, is vulnerable to CVE-2016-2107. When ClearPass is running as a virtual appliance on top of a hypervisor, it MAY be vulnerable depending on whether or not the hypervisor exposes the AES-NI instruction set. Severity: MEDIUM CVSSv2 Overall Score: 6.8 CVSSv2 Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was publicly reported. FIX: Apply the latest ClearPass hotfix for 6.5.6 or 6.6.0 to address this vulnerability. SAMR and LSA man in the middle attacks ("BADLOCK") (CVE-2016-2118) ------------------------------------------------------------------ Note: The fix for this vulnerability was previously issued as a patch. The latest ClearPass patch also contains this fix; there is no need to apply multiple patches. The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK." Severity: MEDIUM CVSSv2 Overall Score: 6.8 CVSSv2 Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was publicly reported. FIX: Update to ClearPass 6.5.6 if running 6.5.x or apply the latest ClearPass 6.6.0 hotfix if running 6.6.0 to address this vulnerability. Unauthenticated SQL Injection (CVE-2016-2034) --------------------------------------------- A SQL injection vulnerability exists in ClearPass Policy Manager that permits an unauthenticated user with access to the ClearPass administrative web interface to obtain sensitive information, including information that could lead to complete system compromise. Update: After the initial release of this advisory, it was learned that this vulnerability has other exploit mechanisms besides the ClearPass administrative web interface. Therefore, restricting access to the web interface is not a completely effective workaround. In the interest of protecting customer networks from targeted attack, further details are not being released at this time. Severity: HIGH CVSSv2 Overall Score: 8.1 CVSSv2 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Damien FOULDE of Axians and reported through the BugCrowd managed bug bounty program. FIX: Update to ClearPass 6.5.6 if running 6.5.x or apply the latest ClearPass 6.6.0 hotfix if running 6.6.0 to address this vulnerability. Resolution ========== A hotfix patch for ClearPass 6.5.6 and 6.6.0 has been made available to address these issues. The following methods listed below may be used to install the patch in ClearPass 6.5.6 and ClearPass 6.6.0. Installing the Patch Online Using the Software Updates Portal: 1. Open ClearPass Policy Manager and go to Administration > Agents and Software Updates > Software Updates. 2. In the Firmware and Patch Updates area, find the ‘ClearPass 6.5.6 Hotfix Patch for CVE-2016-2107' or ‘ClearPass 6.6.0 Hotfix Patch for CVE-2016-2034, CVE-2016-2107 and CVE-2016-2118’ patch and click the Download button in its row. 3. Click Install. 4. When the installation is complete and the status is shown as ‘Needs Restart’, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Installing the Patch Offline Using the Patch File from support.arubanetworks.com: 1. Download the ‘ClearPass 6.5.6 Hotfix Patch for CVE-2016-2107' or ‘ClearPass 6.6.0 Hotfix Patch for CVE-2016-2034, CVE-2016-2107 and CVE-2016-2118’ patch from the Support site. 2. Open the ClearPass Policy Manager Admin UI and go to Administration > Agents and Software Updates > Software Updates. 3. At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded patch file. The name and description once imported may differ from the name and remark on the support site as these were adjusted after posting. This is purely a cosmetic discrepancy. 4. Click Install. 5. When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. The following methods listed below may be used to install the patch in ClearPass 6.6.0 ONLY. Installing the Patch Offline Using the Patch File from support.arubanetworks.com and HTTP: 1. Download the ‘ClearPass 6.6.0 Hotfix Patch for CVE-2016-2034, CVE-2016-2107 and CVE-2016-2118' patch from the Support site. 2. Post the patch file to a local HTTP server. 3. Open an SSH session to the ClearPass appliance using the 'appadmin' account. 4. Type 'system update -i ' 5. When the installation is complete, issue 'system restart'. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Installing the Patch Offline Using the Patch File from support.arubanetworks.com and SCP: 1. Download the ‘ClearPass 6.6.0 Hotfix Patch for CVE-2016-2034, CVE-2016-2107 and CVE-2016-2118' patch from the Support site. 2. Post the patch file to a local SCP server. 3. Open an SSH session to the ClearPass appliance using the 'appadmin' account. 4. Type 'system update -i @' 5. When the installation is complete, issue 'system restart'. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Revision History ================ Revision 1 / 2016-Jun-01 / Initial release Revision 2 / 2016-Jun-02 / Update to CVE-2016-2034 explanation Revision 3 / 2016-Jun-04 / Updated patching instructions to make more clear Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXUvOcAAoJEJj+CcpFhYbZ7kYIAKdA4GOvs8HqVxkW8aYyi/Gv 6FD8ohPcP8DZK7n6Jdeo0xDjivcwyj+SFb/0v5VEVRf4K+MBw/jdkH+5sCUuBmmc qCPLPxjnL9HZk7Rid/j/b2/SUVlm38CCshpzNDOltq7IH38SVcxFlNot/bkiTDOI LFPUQcRKbFKkiG3LMVbhwlZgJ3zEjvkcDTXUKCPa/7G3McDDt1qyp7IyvKDwS53z ZsPZG5nZ7diH05JFjLtnQgluL6uQ3W91rKXM+9nAr4u44/mjaJ/K5XS3Wvaw6Ocy 5BLO4J5kxWPiPcfKhI/od00+MeeRe2xO31ch8D3fxVgXrx5YtD8JTZRndkiTWVc= =usWT -----END PGP SIGNATURE-----