-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2017-004 CVE: CVE-2017-9001, CVE-2017-9002 Publication Date: 2017-Sep-27 Status: Confirmed Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released an update to ClearPass Policy Manager that addresses two security vulnerabilities. Affected Products ================= -- ClearPass Policy Manager (all versions prior to 6.6.8) Details ======= Unauthenticated Remote Command Execution (CVE-2017-9001) -------------------------------------------------------- This vulnerability is only present when a specific feature has been enabled. ClearPass 6.6.3 and later includes a feature called "SSH Lockout", which causes ClearPass to lock accounts with too many login failures through SSH. When this feature is enabled, an unauthenticated remote command execution vulnerability is present which could allow an unauthenticated user to execute arbitrary commands on the underlying operating system with "root" privilege level. The SSH Lockout feature is not enabled by default, so only systems which have enabled this feature are vulnerable. Severity: HIGH CVSSv3 Overall Score: 7.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the BugCrowd managed bug bounty program. Reflected Cross-Site Scripting (CVE-2017-9002) ---------------------------------------------- All versions of ClearPass prior to 6.6.8 contain reflected cross-site scripting vulnerabilities. By exploiting this vulnerability, an attacker who can trick a logged-in ClearPass administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into ClearPass in the same browser. Severity: MEDIUM CVSSv3 Overall Score: 4.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered by independent security researcher @mongobug and reported through the BugCrowd managed bug bounty program. Resolution ========== Upgrade ClearPass Policy Manager to version 6.6.8. Version 6.6.8 also contains fixes for Apache Struts vulnerability CVE-2017-9804 and CVE-2017-12611, both previously announced. Workarounds =========== As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >> Network >> Restrict Access and only allowing non-public or network management networks. CVE-2017-9001 is effectively mitigated by restricting access to the Admin Web Interface. Disabling the SSH Lockout feature can temporarily mitigate CVE-2017-9001. Revision History ================ Revision 1 / 2017-Sep-27 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZybPTAAoJEJj+CcpFhYbZr2IH/j9P7zuEBQXQwaMgpqqZUe4/ Ldl4Rs29wToKTKfy4RzSXUfpptyorqsgokrP39I4OQgoY2mxs48gidWvQFMpTUpr x0WjxDWr+Zms2DNRvYIvvsWMXKgdIX8SaS3dwzN5107AW2FchPaaS52BDmgdLcXx S8S+kJcHke17QK9zbseDCbNA1FqQkmFJOsKGTp8XxlzbJL6C7Q2ESwL5P9duCpRS PzWxGPA0xcJz6Gh2l6sFoW2bs48k/I1gRev4wbC5uiSY3qHmPCbH0qwCBo3e4ljK rkkqBaODpKVu6hz2vvCXv4P0t15eQSKyWMghfMk04uhGWFZeYIkqq/OAlA9NfAA= =WtxI -----END PGP SIGNATURE-----