-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2018-007 CVE: CVE-2018-7063, CVE-2018-7065, CVE-2018-7066, CVE-2018-7067, CVE-2018-7079 Publication Date: 2018-Nov-7 Status: Confirmed Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released an update to ClearPass Policy Manager that addresses multiple security vulnerabilities. Affected Products ================= ClearPass 6.7.x prior to 6.7.6 ClearPass 6.6.10 and earlier without hotfix applied Details ======= Disabled API admins can still perform read/write operations (CVE-2018-7063) --------------------------------------------------------------------- In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts. Severity: Critical CVSSv3 Overall Score: 9.6 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Workaround: Changing account passwords after disabling them prevents this issue. Discovery: This vulnerability was discovered and reported by William Rogers of L3 Technologies. Resolution: Fixed in 6.7.3 and 6.6.10 Authenticated SQL injection can lead to privilege escalation (CVE-2018-7065) ------------------------------------------------------------------- All versions of ClearPass are affected by multiple authenticated SQL injection vulnerabilities. In each case, an authenticated administrative user of any type could exploit this vulnerability to gain access to "appadmin" credentials, leading to complete cluster compromise. Severity: HIGH CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the Bugcrowd managed bug bounty program. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix Unauthenticated remote command execution on linked devices (CVE-2018-7066) ------------------------------------------------------------ The ClearPass OnConnect feature permits administrators to link other network devices into ClearPass for the purpose of collecting enhanced information about connected endpoints. A defect in the API could allow an attacker to execute arbitrary commands on one of the linked devices. This vulnerability is only applicable if credentials for devices have been supplied to ClearPass under Configuration -> Network -> Devices -> CLI Settings. Severity: CRITICAL CVSSv3 Overall Score: 9.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the Bugcrowd managed bug bounty program. Resolution: Fixed in 6.7.5 and 6.6.10-hotfix Authentication bypass leads to complete cluster compromise (CVE-2018-7067) --------------------------------------------------------------------- An authentication flaw in all versions of ClearPass could allow an attacker to compromise the entire cluster through a specially crafted API call. Network access to the administrative web interface is required to exploit this vulnerability. Severity: CRITICAL CVSSv3 Overall Score: 10.0 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the Bugcrowd managed bug bounty program. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix ClearPass Guest Authorization Failure (CVE-2018-7079) ------------------------------------------------------------------- Certain administrative operations in ClearPass Guest do not properly enforce authorization rules, which allows any authenticated administrative user to execute those operations regardless of privilege level. This could allow low-privilege users to view, modify, or delete guest users. Severity: HIGH CVSSv3 Overall Score: 7.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the Bugcrowd managed bug bounty program. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix Resolution ========== 1. Upgrade ClearPass Policy Manager 6.7.x to version 6.7.6 2. For ClearPass 6.6.x, first upgrade to 6.6.10, then apply the ClearPass 6.6.10 hotfix. Workarounds =========== None. As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >> Network >> Restrict Access and only allowing non-public or network management networks. Revision History ================ Revision 1 / 2018-Nov-7 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlvcs/gACgkQmP4JykWF htnAZwf9HiIKr2yx4fJ8wrgFCFunQfwsN3AKewrUUJvC7kg5KapI57R4AOZfOC2+ OvBUTHpXuA2vLZhefgEjo9Osw9tzO8dbTiZ52LU1Y0ioWJzaTeSCzjmSTRio5Ngw tUeIS67UdvceH/QWAOHaNN2JUPbBL8Fs8VMcCY4iOxGRnsxfBDTT6AAGTya9U5PD IYJeswvEpZJ1yS0Qk0yGn+BWJGyTqLRuSxaT5tp70EHqdO8vGvup+uMqXyJJligb 7HYpSjRbA7Un83fZIMjsx3YQMI8CrBn1ALbcm0R2S2zYTWPHa4Q0Qo+20hyOKNOp 0HzWqbFwiZoE0MI4qx3VzswBPZPklw== =cZEU -----END PGP SIGNATURE-----