-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2016-010
CVE: CVE-2016-4401
Publication Date: 2016-Sep-21
Status: Confirmed, Fixed
Revision: 1


Title
=====
ClearPass Policy Manager Multiple Vulnerabilities
 

Overview
========
Multiple vulnerabilities have been fixed in ClearPass Policy Manager. Update to the latest supported
version to address all vulnerabilities.


Affected Products
=================

 -- ClearPass Policy Manager up to, but not including, 6.5.7 and 6.6.2


Details
=======
Because all vulnerabilities described in this advisory are fixed in the same set of software
releases, and are not separable, a single CVE number (CVE-2016-4401) is being used to track
the entire set.

 Unauthenticated Database Credential Leak
 ----------------------------------------
 It is possible for an unauthenticated user with network access to a ClearPass server to expose
 database credentials.  This vulnerability leads to complete system compromise. 

 Severity: CRITICAL
 CVSSv3 Overall Score: 9.8
 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 Discovery: This vulnerability was discovered by 1N3@CrowdShield and reported through 
 the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2


 Unauthenticated Remote Command Execution as 'root'
 --------------------------------------------------
 A configuration error in an authentication library used by multiple ClearPass services could allow
 an unauthenticated remote user with network access to the ClearPass server to execute arbitrary
 commands as "root".  This vulnerability leads to complete system compromise.

 Severity: HIGH
 CVSSv3 Overall Score: 8.1
 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

 Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through 
 the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2


 Unauthenticated Arbitrary File Read via XXE
 -------------------------------------------
 A vulnerability related to XML External Entity processing (XXE) allows an unauthenticated user
 with network access to a ClearPass server to read arbitrary files from the filesystem with the
 permission level of the web server process. 

 Severity: MEDIUM
 CVSSv3 Overall Score: 5.9
 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

 Discovery: This vulnerability was discovered by "fmast" and reported through
 the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2

 
 Authenticated Remote Command Execution as 'root'
 ------------------------------------------------
 Multiple ClearPass web interfaces do not perform proper input validation, which allows authenticated
 administrative users of any privilege level to inject commands that will be executed as 'root'.
 This can be used to achieve complete system compromise.

 Severity: HIGH
 CVSSv3 Overall Score: 7.5
 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

 Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through 
 the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2


 Authenticated SQL Injection
 ---------------------------
 Multiple SQL injection vulnerabilities exist that permit an authenticated administrative user
 of any privilege level to retrieve arbitrary information from the database and execute stored
 procedures with database privileges. This vulnerability can be used in combination with other
 vulnerabilities to achieve complete system compromise.

 Severity: HIGH
 CVSSv3 Overall Score: 7.5
 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

 Discovery: This vulnerability was reported through the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2


 Privilege escalation
 --------------------
 Multiple privilege escalation vulnerabilities exist that permit an authenticated administrative user
 of any privilege level to escalate privileges to "SuperAdministrator". Once escalated, the user
 may exercise any administrative action.

 Severity: HIGH
 CVSSv3 Overall Score: 7.1
 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

 Discovery: This vulnerability was reported through the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2


 Weak SOAP Session ID Generation
 -------------------------------
 SOAP is used as part of the communication mechanism between ClearPass cluster members.  The method 
 used to generate SOAP session IDs uses insufficient entropy. As a result, it is possible that an 
 attacker could brute-force a SOAP session ID and use it to impersonate a cluster member.

 Severity: LOW
 CVSSv3 Overall Score: 3.3
 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

 Discovery: This vulnerability was discovered by Luke Young of Hydrant Labs and reported through 
 the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2


 Authenticated Reflected Cross-Site Scripting
 --------------------------------------------
 Numerous reflected cross-site scripting vulnerabilities are present, which could allow an
 administrative user to be tricked into executing configuration commands on a ClearPass server.

 Severity: LOW
 CVSSv3 Overall Score: 3.9
 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

 Discovery: This vulnerability was reported through the BugCrowd managed bug bounty program.

 FIX: Fixed in 6.5.7 and 6.6.2


Resolution
==========
Update ClearPass to version 6.5.7 or higher, or version 6.6.2 or higher.


Revision History
================

      Revision 1 / 2016-Sep-21 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX4XpZAAoJEJj+CcpFhYbZRW8H/AjrT4Zy9FT4PtJFmJiiX5tN
apUDOReGGZ0qxG0wdLaoQmMU4I01smqdWbFRGoOTrnFZQxFNeo5duILyyd8Mtocj
F3+jYdh/PWyJtzDdd8pztdqlO8qFV/FXxGCQ7QtMw17HKVL7zlNHRbdhlnnFXhat
Tln255hQhimM1Y9tLR67EuYvTnqqjF355bObPJzZkeRsVZgW+RNJZEOXU63CTNS+
bVx5mKnXyBTsGHJXNSsafsc6lvOnBW9j4FWx79EY45FyQrkx4hHfSLiVZgxvlwJJ
B6OWm5bL3+q5RaBABLro8UzMCbY9od2+hl3kO3h30IwXyqu3sxvyUJi+CIC+37Y=
=fvNm
-----END PGP SIGNATURE-----