-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Aruba Product Security Advisory
==================================
Advisory ID: ARUBA-PSA-2021-004
CVE:  CVE-2020-7120, CVE-2021-26677, CVE-2021-26678, CVE-2021-26679,
      CVE-2021-26680, CVE-2021-26681, CVE-2021-26682, CVE-2021-26683,
      CVE-2021-26684, CVE-2021-26685, CVE-2021-26686
Publication Date: 2021-Feb-16
Last Updated: 2021-Mar-05
Status: Confirmed
Revision: 3


Title
=====
ClearPass Policy Manager Multiple Vulnerabilities


Overview
========
Aruba has released updates to ClearPass Policy Manager that address
multiple security vulnerabilities.


Affected Products
=================
These vulnerabilities affect ClearPass running the following
patch versions:

- - - ClearPass 6.9.x prior to 6.9.5
- - - ClearPass 6.8.x prior to 6.8.8-HF1
- - - ClearPass 6.7.x prior to 6.7.14-HF1



Details
=======

  Unauthenticated Stored Cross-Site Scripting Vulnerability (XSS)
  in ClearPass Web Administration Interface (CVE-2021-26678)
  ---------------------------------------------------------------------

    A vulnerability in the web-based management interface of ClearPass
    could allow an unauthenticated remote attacker to conduct a stored 
    cross-site scripting (XSS) attack against an administrative user
    of the interface. A successful exploit could allow an attacker to
    execute arbitrary script code in a victim’s browser in the context
    of the affected interface. 

    Internal references: ATLCP-88
    Severity: High
    CVSSv3 Overall Score: 8.0
    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

    Discovery: This vulnerability was discovered and reported by
    Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program

    Resolution: Fixed in 6.9.2, 6.8.6, 6.7.14 and above


  Authenticated Remote Command Injection in ClearPass CLI (CVE-2021-26681)
  ---------------------------------------------------------------------

    A vulnerability in the ClearPass CLI could allow remote authenticated
    users to run arbitrary commands on the underlying host. A successful
    exploit could allow an attacker to execute arbitrary commands as root
    on the underlying operating system leading to complete system compromise. 

    Internal references: ATLCP-95, ATLCP-96
    Severity: High
    CVSSv3 Overall Score: 7.2
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Discovery: This vulnerability was discovered and reported by 
    Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program

    Resolution: Fixed in 6.9.2, 6.8.7, 6.7.14 and above


  Authenticated Remote Command Injection in ClearPass WebUI 
  (CVE-2021-26679, CVE-2021-26680, CVE-2021-26683, CVE-2021-26684)
  ---------------------------------------------------------------------

    A vulnerability in the ClearPass web-based management interface
    allows remote authenticated users to run arbitrary commands on
    the underlying host. A successful exploit could allow an attacker
    to execute arbitrary commands as root on the underlying operating
    system leading to complete system compromise. 

    Internal references: ATLCP-51, ATLCP-58 ,ATLCP-62, ATLCP-63,
                         ATLCP-67, ATLCP-68, ATLCP-69, ATLCP-73,
                         ATLCP-75, ATLCP-83, ATLCP-85, ATLCP-86,
                         ATLCP-121
    Severity: High
    CVSSv3 Overall Score: 7.2
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered and reported by 
    Daniel Jensen (@dozernz), Luke Young (bugcrowd.com/bored-engineer)
    and Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty
    Program.

    Resolution: Fixed in 6.9.5, 6.8.8, 6.7.14-HF1 and above


  Local escalation of privilege via ClearPass OnGuard (CVE-2021-26677)
  ---------------------------------------------------------------------

    A vulnerability in ClearPass OnGuard could allow local
    authenticated users on a Windows platform to elevate their
    privileges. A successful exploit could allow an attacker to
    execute arbitrary code with SYSTEM level privileges. 

    Internal references: ATLCP-87
    Severity: High
    CVSSv3 Overall Score: 7.0
    CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

    Discovery: This vulnerability was discovered and reported by 
    Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program

    Resolution: Fixed in 6.9.2, 6.8.7, 6.7.14 and above


  SQL Injection Vulnerabilities in Clearpass Web-based
  Management Interface (CVE-2021-26685, CVE-2021-26686)
  ---------------------------------------------------------------------

    A vulnerability in the web-based management interface
    API of ClearPass could allow an authenticated remote
    attacker to conduct SQL injection attacks against the
    ClearPass instance. An attacker could exploit this
    vulnerability to obtain and modify sensitive information
    in the underlying database. 

    Internal references: ATLCP-90, ATLCP-89, ATLCP-76, 
                         ATLCP-72, ATLCP-65, ATLCP-48
    Severity: Medium
    CVSSv3 Overall Score: 6.5
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

    Discovery: This vulnerability was discovered and reported by 
    Daniel Jensen (@dozernz) and Luke Young (bugcrowd.com/bored_engineer) 
    via Aruba's Bug Bounty Program

    Resolution: Fixed in 6.9.3, 6.8.7, 6.7.14 and above


  Reflected Cross-Site Scripting Vulnerability (XSS) in
  ClearPass Guest Web Interface (CVE-2021-26682)
  ---------------------------------------------------------------------

    A vulnerability in the guest portal interface of
    ClearPass could allow a remote attacker to conduct a
    reflected cross-site scripting (XSS) attack against
    a user of the portal. A successful exploit could allow
    an attacker to execute arbitrary script code in a victim’s
    browser in the context of the guest portal interface. 

    Internal references: ATLCP-132
    Severity: Medium
    CVSSv3 Overall Score: 6.1
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Discovery: This vulnerability was discovered and reported by 
    Microsoft's Security Team

    Resolution: Fixed in 6.9.5, 6.8.8-HF1, 6.7.14-HF1 and above 


  ClearPass OnGuard Buffer Overflow Vulnerability (CVE-2020-7120)
  ---------------------------------------------------------------------

    A vulnerability in ClearPass OnGuard could allow local
    authenticated users to cause a buffer overflow condition.
    A successful exploit could allow a local attacker to execute
    arbitrary code within the context the binary is running in,
    which is a lower privileged account.

    Internal references: ATLCP-112 
    Severity: Medium
    CVSSv3 Overall Score: 5.3
    CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Discovery: This vulnerability was discovered and reported by 
    Fernando Romero de la Morena to Aruba SIRT.

    Resolution: Fixed in 6.9.3, 6.8.8 and above


  
Resolution
==========
These vulnerabilities are fixed in the following CPPM patch releases,
which will be available in the corresponding dates:

- - - 6.9.5 : Released
- - - 6.8.8-HF1 : Released
- - - 6.7.14-HF1 : Released



Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, Aruba recommends that the CLI and web-based 
management interfaces for ClearPass be restricted to a 
dedicated layer 2 segment/VLAN and/or controlled by firewall 
policies at layer 3 and above. 


ClearPass Security Hardening
============================
For general information on hardening ClearPass instances against
security threats please see the ClearPass Hardening Guide available at 
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en_us 


Exploitation and Public Discussion 
==================================
Aruba is not aware of any public discussion or exploit code related  to
this issue.


Revision History
================
Revision 1 / 2021-Feb-16 / Initial release
Revision 2 / 2021-Feb-18 / Updated patch release ETAs 
Revision 3 / 2021-Mar-05 / Corrected header CVE numbers and patch status


Aruba SIRT Security Procedures 
==============================
Complete information on reporting  security  vulnerabilities  in  Aruba
Networks products, obtaining  assistance  with  security  incidents  is
available at: 
 
http://www.arubanetworks.com/support-services/security-bulletins/ 
 
 
For reporting *NEW* Aruba Networks security issues, email can  be  sent
to aruba-sirt(at)hpe.com. For sensitive information  we  encourage  the
use of PGP encryption. Our public keys can be found at: 
 
http://www.arubanetworks.com/support-services/security-bulletins/ 
 

(c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. 
This advisory may be redistributed freely after the release date  given 
at the top of the text, provided  that  the  redistributed  copies  are 
complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCgA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmA/wKYXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm1IwgArrFXTF6sFZtvmmPoYs1I8mtI
AmlyAp9vLI0uRt6zXQS/1/6k2ZOuWmTc/apOEUVDS8YEtfl2ZBK9cCXGt21TiCqB
UkcDCRMPJCSWWuhfKj4jpqerU9YyBOteL8CyN9i1DM+GlUEU8XcJg2+DyKcOQ3Ue
Y60BYFjHF7KCSICzWy2s6pFxPA2+6zDOmKBPzo6qbsiyO3Ps+HfZa3mE16wYKOH9
jNXy2ZhXT8FnNKR2mkwr5gArvQEha7ioTM+qSzF+7omVm0VHtnugMZBZWxIGN4pa
48XGi7TTJU7tAcFnK0z+SzBbgi5vDiE2ePl8IzjJ5NRgN8frX/bWApGlKRATsw==
=6Kk+
-----END PGP SIGNATURE-----