-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-012 CVE: CVE-2020-14386, CVE-2021-3156, CVE-2021-29150, CVE-2021-29151, CVE-2021-29152, CVE-2021-34609, CVE-2021-34610, CVE-2021-34611, CVE-2021-34612, CVE-2021-34613, CVE-2021-34614, CVE-2021-34615, CVE-2021-34616 Publication Date: 2021-Jul-02 Status: Confirmed Severity: High Revision: 2 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass running the following patch versions unless specifically noted otherwise in the details section: - - - - ClearPass 6.9.x prior to 6.9.6 - - - - ClearPass 6.8.x prior to 6.8.9 - - - - ClearPass 6.7.x all versions - - - - ClearPass 6.6.x all versions Details ======= Authenticated SQL Injection Vulnerability in ClearPass Web-based Management Interface (CVE-2021-34609) --------------------------------------------------------------------- A vulnerability in the web-based management interface API of ClearPass could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to an escalation of privileges. Internal references: ATLCP-82 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Sudo Privilege Escalation Vulnerability aka "Baron Samedit" (CVE-2021-3156) --------------------------------------------------------------------- A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges. ClearPass does not allow access to local shell commands during normal operation and so the main impact of this vulnerability would be as part of a "chained attack" where an attacker has achieved a foothold with lower privileges via another vulnerability and then uses this to escalate privileges. Internal references: ATLCP-131 Severity: High CVSSv3 Overall Score: 7.8 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and published by the Qualys Research Team. Local Privilege Escalation Vulnerability in ClearPass Linux Kernel (CVE-2020-14386) --------------------------------------------------------------------- A vulnerability in the linux kernel of ClearPass could allow an attacker to gain root privileges from unprivileged processes. ClearPass does not allow access to local shell commands during normal operation and so the main impact of this vulnerability would be as part of a "chained attack" where an attacker has achieved a foothold with lower privileges via another vulnerability and then uses this to escalate privileges. Internal references: ATLCP-126 Severity: High CVSSv3 Overall Score: 7.8 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and published by Or Cohen of Palo Alto Networks. Deserialization Vulnerability in ClearPass Web-based Management Interface (CVE-2021-29150) --------------------------------------------------------------------- A vulnerability in a deserialization function used by the ClearPass web-based management interface could allow remote authenticated users to execute arbitrary commands on the underlying host. A successful exploit allows an attacker to execute commands as root on the underlying operating system leading to complete system compromise. Internal references: ATLCP-118 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Authenticated Remote Command Injection in ClearPass Web-Based Management Interface Leading to Full System Compromise (CVE-2021-34610, CVE-2021-34611) --------------------------------------------------------------------- Vulnerabilities in the ClearPass web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal references: ATLCP-78, ATLCP-128 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authentication Bypass in ClearPass Web-based Management Interface (CVE-2021-29151) --------------------------------------------------------------------- A vulnerability exists which allows an unauthenticated attacker to access some unintended functions on the ClearPass web-based management interface. Successful exploitation allows an attacker to gain access to some data that should require authorization. This does not expose the system to compromise or leak sensitive information from the ClearPass instance. Internal references: ATLCP-133 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by the Bell Canada security team. Authenticated Denial of Service Vulnerability in ClearPass Web-based Management Interface (CVE-2021-29152) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass could allow an authenticated remote attacker to conduct a denial of service attack against the system. A successful exploit could allow an attacker to deny access to the underlying database and prevent normal system operation. Internal references: ATLCP-110 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong). Authenticated Remote Command Injection in ClearPass CLI (CVE-2021-34612) --------------------------------------------------------------------- A vulnerability in the ClearPass CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a low privileged user on the underlying operating system leading to partial system compromise. Internal references: ATLCP-100 Severity: Medium CVSSv3 Overall Score: 4.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by damif512 (bugcrowd.com/damif512) via Aruba's Bug Bounty Program Authenticated Remote Command Injection in ClearPass Web-Based Management Interface Leading to Partial System Compromise (CVE-2021-34613, CVE-2021-34614, CVE-2021-34615, CVE-2021-34616) --------------------------------------------------------------------- Vulnerabilities in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a low privileged user on the underlying operating system leading to partial system compromise. Internal references: ATLCP-102, ATLCP-106, ATLCP-114 ATLCP-115 Severity: Medium CVSSv3 Overall Score: 4.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass versions listed below - - - - ClearPass 6.10.x: 6.10 and above - - - - ClearPass 6.9.x: 6.9.6 and above - - - - ClearPass 6.8.x: 6.8.9 and above Workaround ========== To minimize the likelihood of an attacker exploiting some of these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. ClearPass Security Hardening ============================ For general information on hardening ClearPass instances against security threats please see the ClearPass Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en_us Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities. Revision History ================ Revision 1 / 2021-Jun-29 / Initial release Revision 2 / 2021-Jul-02 / Correct minor typos Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmDcgksXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnhOgf+LE7w7cj9elIJxeEATelZK9A9 rwoVVMjkZDBEqr9XUuB5Z1vCf8OsSXDNKTI0HUvKcdPnKrZqiEvX+mHvUsWPGnEf 1As9nWGWW1PZQy1mbcTV2tF0mctOtdQTOXjtW/RzdLXqvFCP4mLn9fxlDkFQc6qq DVEYaQHN+XDImSnekee2TPl+V90pAseuPp7WhGnO4VVlA1Y1wT/BURbMUUZ54iRQ vxxurT/cTFcrJjdTCPoO3nOrEnSor60PgW89/Lhtct/q/PsVIzLk/xbY9foD+di7 JgRMoGaZOu4RhMcpWplVkEmT0WdbQNyJFRiOxQmItZESpTzTiOJkzhCr6Mo6Tg== =gzYm -----END PGP SIGNATURE-----