-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-007 CVE: CVE-2021-21419, CVE-2021-33503, CVE-2022-23657, CVE-2022-23658, CVE-2022-23659, CVE-2022-23660, CVE-2022-23661, CVE-2022-23662, CVE-2022-23663, CVE-2022-23664, CVE-2022-23665, CVE-2022-23666, CVE-2022-23667, CVE-2022-23668, CVE-2022-23669, CVE-2022-23670, CVE-2022-23671, CVE-2022-23672, CVE-2022-23673, CVE-2022-23674, CVE-2022-23675 Publication Date: 2022-May-04 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following patch versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.10.x: 6.10.4 and below - ClearPass Policy Manager 6.9.x: 6.9.9 and below - ClearPass Policy Manager 6.8.x: 6.8.9-HF2 and below Updating ClearPass Policy Manager to a patch version listed in the Resolution section at the end of this advisory will resolve all issues in the details section. Versions of ClearPass Policy Manager that are end of life should be considered to be affected by these vulnerabilities unless otherwise indicated. Impacted customers should plan to migrate to a supported version. Versions that should be considered to be vulnerable and not addressed by this advisory include: - ClearPass Policy Manager 6.7.x and below Details ======= Authentication Bypass Leading to Remote Code Execution in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23657, CVE-2022-23658, CVE-2022-23660) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-156, ATLCP-162, ATLCP-163 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Information Disclosure in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23670) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. Internal Reference: ATLCP-169 Severity: High CVSSv3.x Overall Score: 8.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported by Colton Bachman of Aruba Threat Labs. Sensitive Information Disclosure in ClearPass Policy Manager Cluster via Privileged Network Position (CVE-2022-23671) --------------------------------------------------------------------- A vulnerability exists in the ClearPass Policy Manager cluster communications that allow for an attacker in a privileged network position to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that allows for unauthorized actions as a privileged user on the ClearPass Policy Manager cluster. Internal Reference: ATLCP-182 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by the Central College Security Team. Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23674, CVE-2022-23675) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal References: ATLCP-176, ATLCP-185 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Rahul Mohan of Aruba Networks and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Full System Compromise (CVE-2022-23661, CVE-2022-23662) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-77, ATLCP-107 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Full System Compromise (CVE-2022-23663, CVE-2022-23664, CVE-2021-23665, CVE-2022-23666, CVE-2022-23672, CVE-2022-23673) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-140, ATLCP-141, ATLCP-157, ATLCP-160, ATLCP-161, ATLCP-172 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23659) --------------------------------------------------------------------- A vulnerability within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLCP-181 Severity: Medium CVSSv3.x Overall Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by the Memorial Hermann Security Team. Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in Python Eventlet Library (CVE-2021-21419) -------------------------------------------------------------------- A vulnerability exists in the Python Eventlet library used by ClearPass Policy Manager. This could allow a WebSocket peer to exhaust memory reserved by Eventlet inside of ClearPass Policy Manager leading to a partial Denial of Service condition in services that use the library. For more details, please refer to https://github.com/advisories/GHSA-9p9m-jm8w-94p2 Internal Reference: ATLCP-158 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered by the maintainers of the Eventlet repository on GitHub. Authorization Bypass in ClearPass Policy Manager via Insufficient Session Expiration (CVE-2022-23669) --------------------------------------------------------------------- A vulnerability exists in the handling of SAML token expiration by ClearPass Policy Manager. A successful exploit could allow an attacker in the possession of a valid token to reuse the token after session expiration, thereby achieving a bypass of the normal authorization process. Internal Reference: ATLCP-171 Severity: Medium CVSSv3.x Overall Score: 5.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Tomas Rzepka of F-Secure. Authenticated Denial-of-Service Condition in Python Urllib Library Used by ClearPass Policy Manager (CVE-2021-33503) -------------------------------------------------------------------- A vulnerability exists in the Python Urllib library used by ClearPass Policy Manager. An authenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition in the interface. For more details, please refer to https://github.com/advisories/GHSA-q2q7-5pp4-w6pg Internal Reference: ATLCP-165 Severity: Medium CVSSv3.x Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Nariyoshi Chida. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Partial System Compromise (CVE-2022-23667) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager command line interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system leading to partial system compromise. Internal Reference: ATLCP-92 Severity: Medium CVSSv3.x Overall Score: 4.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Server-Side Request Forgery (SSRF) Leading to Information Disclosure (CVE-2022-23668) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. A successful exploit allows an attacker to enumerate information about the internal structure of the ClearPass Policy Manager host leading to potential disclosure of sensitive information. Internal Reference: ATLCP-124 Severity: Medium CVSSv3.x Overall Score: 4.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Mohammed F. Al-Barbari (bugcrowd.com/m4dm0e) via Aruba's Bug Bounty Program. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass Policy Manager versions listed below - ClearPass Policy Manager 6.10.x: 6.10.5 and above - ClearPass Policy Manager 6.9.x: 6.9.10 and above - ClearPass Policy Manager 6.8.x: 6.8.9-HF3 and above As a general rule, Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en_us for ClearPass Policy Manager 6.9.x and earlier versions. For ClearPass 6.10.x the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-May-04 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmJpVl4XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnvWwgAnZmt6eDd2Wn2JScRccrY2gAQ nUHV7MDgqn6FRBBeRho8tpHQFaC73fSafdX9worLEFp1gUltUDDMefzpgonN0DHS ONE/tcYbwMuC6DaszY9S0MuKcdqSS6bisGsELlObi/8wP4cXZiQNEzrP9UUXX0GG OkRKksMg+Z5PuDjHqBaQEWu8f3jO3FX55JLZa5FWZwuGAFpi+UUfOloitYko+XvK /EayQ22dtxC+AUWPtMgxw1K0JwFO5vtqtsCDTctgbdKeomF1kkgw7KPIl3cvX6E+ fcL4KEFnGMXmrXislYFJXwsCWhax/ig7HC407k0U+m7Xx6AqqdmkzRETwgcTJQ== =AuGw -----END PGP SIGNATURE-----