-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-018 CVE: CVE-2021-37736, CVE-2021-37737, CVE-2021-37738, CVE-2021-37739, CVE-2021-40986, CVE-2021-40987, CVE-2021-40988, CVE-2021-40989, CVE-2021-40990, CVE-2021-40991, CVE-2021-40992, CVE-2021-40993, CVE-2021-40994, CVE-2021-40995, CVE-2021-20996, CVE-2021-40997, CVE-2021-40998, CVE-2021-40999 Publication Date: 2021-Oct-12 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following patch versions unless specifically noted otherwise in the details section: - - ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1 Updating ClearPass Policy Manager to a patch level listed in the Resolution section at the end of this advisory will resolve all issues. Versions of ClearPass Policy Manager that are end of life should be considered to be affected by these vulnerabilities unless otherwise indicated. Impacted customers should plan to migrate to a supported version. Versions that should be considered to be vulnerable and not patched by this advisory include: - ClearPass Policy Manager 6.7.x and earlier Details ======= Unauthenticated Exploitation of Encryption Endpoint Leading to Remote Authentication Bypass (CVE-2021-37736) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to access an encryption endpoint on the platform. A successful exploit allows an attacker to bypass system authentication and achieve total cluster compromise. Internal references: ATLCP-146 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored_engineer) via Aruba's Bug Bounty Program. Unauthenticated Information Disclosure Leading to Remote Authentication Bypass (CVE-2021-40996, CVE-2021-40997) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to access sensitive information on the platform. A successful exploit allows an attacker to bypass system authentication and achieve total cluster compromise. Internal references: ATLCP-149, ATLCP-150 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Web-based Management Interface Leading to Cluster Compromise (CVE-2021-37737) --------------------------------------------------------------------- A vulnerability in the web-based management interface API of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster. Internal references: ATLCP-147 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored-engineer) via Aruba's Bug Bounty Program Unauthenticated Information Disclosure in ClearPass Policy Manager Web-based Management Interface (CVE-2021-37738) --------------------------------------------------------------------- A vulnerability exists which allows an unauthenticated attacker to access sensitive information on the ClearPass Policy Manager web-based management interface. Successful exploitation allows an attacker to gain access to some data that should require authorization. This does not expose the system to direct compromise. Internal references: ATLCP-125 Severity: High CVSSv3 Overall Score: 7.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by S4thi5h (bugcrowd.com/S4thi5h) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Full System Compromise (CVE-2021-37739, CVE-2021-40986, CVE-2021-40987, CVE-2021-40998, CVE-2021-40999) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal references: ATLCP-134, ATLCP-136, ATLCP-138, ATLCP-154, ATLCP-155 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Path Traversal in ClearPass Policy Manager Web-Based Management Interface Leading to Full System Compromise (CVE-2021-40988) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager web-based management interface allows remote authenticated users to write arbitrary files on the underlying host with administrator privileges. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal references: ATLCP-137 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Local Privilege Escalation in ClearPass OnGuard (CVE-2021-40989) --------------------------------------------------------------------- A vulnerability in ClearPass OnGuard could allow local authenticated users on a Windows platform to elevate their privileges. A successful exploit could allow an attacker to execute arbitrary code with SYSTEM level privileges. Internal references: ATLCP-120 Severity: High CVSSv3 Overall Score: 7.0 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Information Disclosure in ClearPass Policy Manager Web-based Management Interface Exposing Cleartext Secrets (CVE-2021-40990) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the ClearPass Policy Manager web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format possibly exposing other network infrastructure to further compromise. Internal references: ATLCP-151 Severity: Medium CVSSv3 Overall Score: 6.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L Discovery: This vulnerability was discovered and reported by Ron Peck of Macquarie Group Ltd. Authenticated Information Disclosure in ClearPass Policy Manager Web-based Management Interface Leading to Escalation of Privileges (CVE-2021-40991) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the ClearPass Policy Manager web-based management interface. Successful exploitation allows an attacker to gain access to some data that could be exploited to escalate privileges. Internal references: ATLCP-135 Severity: Medium CVSSv3 Overall Score: 6.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Command Line Interface (CVE-2021-40992) --------------------------------------------------------------------- A vulnerability in the management command line interface of ClearPass Policy Manager allows an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to an escalation of privileges. Internal references: ATLCP-94 Severity: Medium CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Web-based Management Interface (CVE-2021-40993) --------------------------------------------------------------------- A vulnerability in the web-based management interface API of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify information in the underlying database. Internal references: ATLCP-152 Severity: Medium CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Aruba's internal engineering. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface (CVE-2021-40994, CVE-2021-40995) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager command line interface could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a low privileged user on the underlying operating system leading to partial system compromise. Internal references: ATLCP-97, ATLCP-98 Severity: Medium CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass Policy Manager versions listed below - - ClearPass Policy Manager 6.10.x: 6.10.2 and above - - ClearPass Policy Manager 6.9.x: 6.9.7-HF1 and above - - ClearPass Policy Manager 6.8.x: 6.8.9-HF1 and above As a general rule, we do not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening ============================ For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en_us Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2021-Oct-12 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmFcteYXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtk+qQgAtdZSNmuNpRxRps5sQfR7KFLl h5mfu0wdbx9HZyqoqkDVo+1e/2owO31Rer1rhaAtb8FSJZy7InAo4cYMXcff149n o9fryp+npiQ9WBmAwCkQLFE8L1bsQldw6ESbfag1mw0hgm2fAxhCmafX9extI7ZT qItvU4rcCo62d4ED+uPLFlIx0kwZj8iA22ylYsaJD35+nyJ5x1L4HHAGoyZEOjey tgKIA5xaxArqZHzvd4xaPnnJd9uUxTKpqUHlKEB9fWXPNP/IqSNaoWko43mVW9f8 vFUyae8aOOORISAYnZsz3U1/wElRaW3KHk794IFIA3b+fRTT2J1a7RPWCgBvrw== =HR8w -----END PGP SIGNATURE-----