-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2018-003 CVE: CVE-2018-7058, CVE-2018-7059, CVE-2018-7060, CVE-2018-0489 Publication Date: 2018-Mar-21 Status: Confirmed Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released an update to ClearPass Policy Manager that addresses four security vulnerabilities. Affected Products ================= ClearPass 6.6.x prior to 6.6.9 ClearPass 6.7.x prior to 6.7.2 Details ======= Authentication bypass can lead to server compromise (CVE-2018-7058) ------------------------------------------------------------------- All versions of ClearPass 6.6.x prior to 6.6.9 are affected by an authentication bypass vulnerability. An unauthenticated attacker can leverage this vulnerability to gain administrator privileges on the system. The vulnerability is exposed only on ClearPass web interfaces, including administrative, guest captive portal, and API. Customers who do not expose ClearPass web interfaces to untrusted users are impacted to a lesser extent. Severity: CRITICAL CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the BugCrowd managed bug bounty program. Resolution: Fixed in 6.6.9 and 6.7.0. Authenticated disclosure of cluster password (CVE-2018-7059) ------------------------------------------------------------ This vulnerability is only present when authenticated as a user with "mon" permission. ClearPass prior to 6.6.9 has a vulnerability in the API that helps to coordinate cluster actions. An authenticated user with the 'mon' permission could use this vulnerability to obtain cluster credentials which could allow privilege escalation. Severity: HIGH CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the BugCrowd managed bug bounty program. Resolution: Fixed in 6.6.9 and 6.7.0. Authenticated sessions are vulnerable to CSRF attacks (CVE-2018-7060) --------------------------------------------------------------------- ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface. Severity: MEDIUM CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Resolution: Fixed in 6.6.9 and 6.7.1. Authenticated user can gain access as different user (CVE-2018-0489) -------------------------------------------------------------------- ClearPass includes a third-party implementation of SAML that can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user's password. This vulnerability is only present if ClearPass SAML features are enabled under Configuration->Identity-Single Sign-On (SSO). The vulnerability affects all versions of ClearPass prior to 6.6.9 that have not applied 'ClearPass 6.6.9 Hotfix Patch for CVE-2018-0489', and ClearPass 6.7.x prior to 6.7.2. This vulnerability affects all uses of SAML within ClearPass, including: - Administrative logins to Policy Manager, Guest and Insight. - Onboard device provisioning portals - Guest Operator Login to Guest and Onboard applications. - Aruba Auto Sign-On (ASO) Severity: HIGH CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N Resolution ========== 1. If running any of the prior 6.6.x versions, upgrade ClearPass Policy Manager to version 6.6.9 and then install the 'ClearPass 6.6.9 Hotfix Patch for CVE-2018-0489'. Note: Version 6.6.9 also contains fixes for CVE-2017-9001 and CVE-2017-5708 which were previously announced. 2. If running ClearPass Policy Manager 6.7.0 or 6.7.1, upgrade to version 6.7.2. Workarounds =========== None. As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >> Network >> Restrict Access and only allowing non-public or network management networks. Revision History ================ Revision 1 / 2018-Mar-21 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlqwiQUACgkQmP4JykWF htkbYggArPxfvGCcqKdixM1MhqIAzvKXArO9ZK/SvSnWru5eg0uYzQuvWAYglOIU +A+dHg5IZtt+Ajazov/r+0+HgDyam8sSYR2dWFCZmM+9QNZ2yy1wA14AuJU/HHw7 kJekbQHvtumudvt+agu9SEiIZSmr/RIIdB3pANFB+LbXHPMUBbH97269xSqhZGul tzhHouUxoeNF5YuxivZSnjLun4HIrBcu4RYGdehXXr5kDYp0PruAgVj2F1zmvTUA cN1TdcTP7GU+HRXu32pd8B55K9mOf6C6RG3WegpzkAJMSWGXZLQ0OOORFPgNG4y7 ijzgXrtEWzTJfwpqJ7VXTQ/xdgcrrg== =a1FO -----END PGP SIGNATURE-----