-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2020-004
CVE: CVE-2020-7110, CVE-2020-7111, CVE-2020-7113, CVE-2020-7114
Publication Date: 2020-Apr-14
Last Update: 2020-May-05
Status: Confirmed
Revision: 3


Title
=====
ClearPass Policy Manager Multiple Vulnerabilities


Overview
========
Aruba has released updates to ClearPass Policy Manager that address
multiple security vulnerabilities.  


Affected Products
=================
  ClearPass 6.8.x prior to 6.8.4
  ClearPass 6.7.x prior to 6.7.13


Details
=======

  Authentication Bypass leads to database changes       (CVE-2020-7114)
  ---------------------------------------------------------------------
    A defect in authentication state management could permit an attacker
    to make database modifications that would lead to the attacker gaining
    full administrative privileges over the ClearPass cluster.  The attacker
    would need the ability to communicate with a ClearPass server's web
    interface.  Access to any web interface, including the guest interface,
    is sufficient to carry out the attack.
    
    Internal references: ATLCP-49, ATLCP-70
    Severity: Critical
    CVSSv3 Overall Score: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Discovery: This vulnerability was discovered and reported by 
    Luke Young (@TheBoredEng), via Aruba's Bug Bounty program.

    Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher


  Authenticated Remote Code Execution                   (CVE-2020-7111)
  ---------------------------------------------------------------------
    A server side injection vulnerability exists which could allow an
    authenticated administrative user to achieve Remote Code Execution 
    in ClearPass.

    Internal reference: ATLCP-50
    Severity: High
    CVSSv3 Overall Score: 8.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Discovery: This vulnerability was discovered and reported by 
    Luke Young (@TheBoredEng), via Aruba's Bug Bounty program.

    Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher


  Authenticated Stored Cross Site Scripting             (CVE-2020-7110)
  ---------------------------------------------------------------------
    ClearPass is vulnerable to Stored Cross Site Scripting by allowing 
    a malicious administrator, or a compromised administrator account, 
    to save malicious scripts within ClearPass that could be executed
    resulting in a privilege escalation attack.

    Internal reference: ATLCP-52, ATLCP-53, ATLCP-54, ATLCP-55
    Severity: Medium
    CVSSv3 Overall Score: 4.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

    Discovery: This vulnerability was discovered and reported by
    Sathish (@s4thi5h), via Aruba's Bug Bounty program. 
  
    Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher


  Information Disclosure by changing HTTP parameters    (CVE-2020-7113)
  ---------------------------------------------------------------------
    A vulnerability was found when an attacker, while communicating 
    with the ClearPass management interface, is able to intercept and
    manipulate parameters in HTTP messages resulting in the compromise
    of some of ClearPass' service accounts.

    Internal reference: ATLCP-40
    Severity: Medium
    CVSSv3 Overall Score: 4.1
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

    Discovery: This vulnerability was discovered and reported by 
    Darrell Damstedt (@hateshape), via Aruba's Bug Bounty program.

    Resolution: Fixed in 6.7.10, 6.8.1, 6.9.0 and higher
 

Resolution
==========
 
  1. Upgrade ClearPass Policy Manager 6.8.x to version 6.8.4
  2. Upgrade ClearPass Policy Manager 6.7.x to version 6.7.13
 

Workarounds
===========
None.


Revision History
================

Revision 1 / 2020-Apr-14 / Initial release
Revision 2 / 2020-Apr-14 / Changed affected 6.8.x version and resolution
Revision 3 / 2020-May-05 / Description of CVE-2020-7114 rewritten to provide
                           clearer explanation.  Removed best practice comment 
                           on restricting access to Policy Manager Admin Web 
                           Interface since it could be interpreted as a viable
                           workaround for CVE-2020-7114.


Aruba SIRT Security Procedures 
============================== 
Complete information on reporting security vulnerabilities in Aruba Networks 
products, obtaining assistance with security incidents is available at: 
  
http://www.arubanetworks.com/support-services/security-bulletins/ 
  
  
For reporting *NEW* Aruba Networks security issues, email can be sent to 
aruba-sirt(at)hpe.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at: 
  
http://www.arubanetworks.com/support-services/security-bulletins/ 
  
  
(c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company. 
This advisory may be redistributed freely after the release date given  
at the top of the text, provided that the redistributed copies are  
complete and unmodified, including all data and version information.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAl6wjI0ACgkQmP4JykWF
htl92Qf/VaGgYk/Y8SAFKOTCwg2K5jYeLtwuqt3EQh1aA6AEDfRKOirjlQJUdkSW
eKBJVC2OjuOrvNaiEgKH+P4up9V1Bs4Cueu+kW/8pIJisg+K1Pehx4JexyxaUmL7
wPekibuEcYB+Aj6y+27il1jKKDsWz2UwxgjMU1KnAaPJ2/FN6Ns77PEWfnu8RzyS
9bfplriGQhRMOwbKhrWR5Ejersf/hIOCWlKnU5TIFOznWnJgemSBDQtBKLq58x2K
aPjiJVikO52/CjoOSGeEBeGInEci2QcrKcHk1ylmDN7P86qVwIqlubrrKFcSuiU3
M8Iv8opBporM0dgvFbsB5Yb3zw6hiA==
=1HDC
-----END PGP SIGNATURE-----