-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory 
=============================== 
Advisory ID: HPESBNW04675 
CVE: CVE-2024-3596, CVE-2024-41915, CVE-2024-41916,  
     CVE-2024-5486 
Publication Date: 2024-Jul-30 
Status: Confirmed 
Severity: Critical 
Revision: 1 
  
  
Title 
===== 
ClearPass Policy Manager Multiple Vulnerabilities 
  
  
Overview 
======== 
HPE Aruba Networking has released updates to ClearPass Policy 
Manager that address multiple security vulnerabilities. 
  
  
Affected Products 
================= 
These vulnerabilities affect ClearPass Policy Manager running 
the following software versions unless specifically noted 
otherwise in the details section: 
  
  - ClearPass Policy Manager 6.12.x: 6.12.1 and below 
  - ClearPass Policy Manager 6.11.x: 6.11.8 and below 
 
    
Versions of ClearPass Policy Manager that are end of life are 
affected by these vulnerabilities unless otherwise indicated. 
  
  
Unaffected Products 
=================== 
Any other HPE Aruba Networking products not specifically listed 
above are not affected by these vulnerabilities. 
  
  
Details 
======= 
  
  RADIUS protocol susceptible to forgery attacks  
  (CVE-2024-3596)  
  ---------------------------------------------------------------------  
    A forgery attack has been discovered against the Response            
    Authenticator in RADIUS/UDP, specifically targeting RFC 2865. This   
    attack allows a man-in-the-middle to forge a valid Access-Accept     
    response to a client request that was initially rejected by the      
    RADIUS server, thereby granting unauthorized network access.         
    The vulnerability exploits a chosen-prefix collision attack          
    on MD5, manipulating the first byte and packet attributes of         
    Access-Reject messages to match the Response Authenticator of a      
    forged Access-Accept message. The attack requires appending a        
    minimal amount of collision block gibberish to the Access-Request,   
    which is then encapsulated in Proxy-State attributes and processed   
    by the server, ensuring the computed Response Authenticator matches  
    for both the legitimate Access-Reject and the forged Access-Accept.  
    
    The attacker must have man-in-the-middle access between the RADIUS   
    client and server and the ability to trigger an Access-Request.      
    By predicting the Access-Reject response and computing an MD5        
    chosen-prefix collision (within 5 to 6 minutes, potentially faster   
    with more resources), the attacker can modify the client request,    
    remove any Message-Authenticator attributes if PAP authentication    
    is used, and forge an Access-Accept response by copying the          
    Response Authenticator from the Access-Reject response. This         
    modified response, when sent to the client, grants the attacker      
    unauthorized access to resources authenticated/authorized via        
    RADIUS.                                                              
    
    Internal References:   ATLCP-274  
    Severity: Critical  
    CVSSv3.x Overall Score: 9.0  
    CVSS Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H  
    
    Discovery: This vulnerability was discovered and reported   
    by Sharon Goldberg, Miro Haller, Nadia Heninger,  
    Mike Milano, Dan Shumow, Marc Stevens,   
    and Adam Suhl. 
 
   Please note this CVE was originally disclosed at  
   https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04662en_us&docLocale=en_US, and 
   HPESBNW04662 :: RADIUS Protocol Susceptible to Forgery Attacks (Rev-2) 
   [https://networkingsupport.hpe.com/notifications/Tm90aWZpY2F0aW9uOjE5ODEw;notificationCategory=Security)]  
 
 
  Authenticated SQL Injection Vulnerability in ClearPass Policy 
  Manager Web-based Management Interface 
  (CVE-2024-41915) 
  --------------------------------------------------------------------- 
    A vulnerability in the web-based management interface of 
    ClearPass Policy Manager could allow an authenticated 
    remote attacker to conduct SQL injection attacks against 
    the ClearPass Policy Manager instance. An attacker could 
    exploit this vulnerability to obtain and modify sensitive 
    information in the underlying database potentially leading 
    to complete compromise of the ClearPass Policy Manager 
    cluster. 
  
    Internal References: ATLCP-271 
    Severity: High 
    CVSSv3 Overall Score: 7.2 
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 
  
    Discovery: This vulnerability was discovered and 
    reported by the security team at Cambridge University 
     
    Workaround: To minimize the likelihood of an attacker 
    exploiting this vulnerability, HPE Aruba Networking 
    recommends that the web-based management interfaces be 
    restricted to a dedicated layer 2 segment/VLAN and/or 
    controlled by firewall policies at layer 3 and above. 
 
 
  Authenticated Sensitive Information Disclosure in ClearPass Policy     
  Manager                                                                
  (CVE-2024-41916)  
  ---------------------------------------------------------------------  
    A vulnerability exists in ClearPass Policy Manager that allows for   
    an attacker with administrative privileges to access sensitive       
    information in a cleartext format. A successful exploit allows an    
    attacker to retrieve information which could be used to potentially  
    gain further access to network services supported by ClearPass       
    Policy Manager.                                                      
   
    Internal Reference: ATLCP-277  
    Severity: Medium  
    CVSSv3.x Overall Score: 6.8 
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 
   
    Discovery: This vulnerability was discovered and reported by  
    the Security Team at Quinstreet Inc. 
  
    Workaround: To minimize the likelihood of an attacker exploiting     
    this vulnerability, HPE Aruba Networking recommends that the         
    web-based management interfaces be restricted to a dedicated layer   
    2 segment/VLAN and/or controlled by firewall policies at layer 3     
    and above. 
 
 
  Authenticated Sensitive Information Disclosure in ClearPass Policy     
  Manager                                                                
  (CVE-2024-5486)  
  ---------------------------------------------------------------------  
    A vulnerability exists in ClearPass Policy Manager that allows for   
    an attacker with administrative privileges to access sensitive       
    information in a cleartext format. A successful exploit allows an    
    attacker to retrieve information which could be used to potentially  
    gain further access to network services supported by ClearPass       
    Policy Manager.                                                      
   
    Internal Reference: ATLCP-278  
    Severity: Medium  
    CVSSv3.x Overall Score: 5.8 
    CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 
   
    Discovery: This vulnerability was discovered and reported by  
    the Federal Aviation Administration. 
  
    Workaround: To minimize the likelihood of an attacker exploiting     
    this vulnerability, HPE Aruba Networking recommends that the         
    web-based management interfaces be restricted to a dedicated layer   
    2 segment/VLAN and/or controlled by firewall policies at layer 3     
    and above. 
 
 
Resolution 
========== 
Upgrade ClearPass Policy Manager to one of the following 
versions with the fixes to resolve all issues noted in the 
details section. 
  
  - ClearPass Policy Manager 6.12.x: 6.12.2 and above   
  - ClearPass Policy Manager 6.11.x: 6.11.9 and above 
 
  - In addition, for CVE-2024-3596 the following steps need to be taken 
    to enable the RADIUS Message-Authenticator on ClearPass Navigate to   
    Administration > Server Manager > Server Configuration screen, select 
    each server individually to enable Message-Authenticator support.     
    On the server screen, navigate to Service Parameters tab, select    
    the Radius server service Under the Security header, modify the     
    parameters                                                          
                  Require Message-Authenticator from NAD = yes  
                  Require Message-Authenticator from Proxy Server = yes  
    Save the changes. This will then restart the service with the 
    requirement that the Message-Authenticator be transmitted, or the 
    request will not be processed. 
  
HPE Aruba Networking does not evaluate or patch ClearPass Policy 
Manager versions that have reached their End of Support (EoS) 
milestone. 
  
Supported versions as of the publication date of this advisory 
are: 
  - ClearPass Policy Manager 6.12.x 
  - ClearPass Policy Manager 6.11.x 
  
Software versions with resolution/fixes for the vulnerabilities covered
above, can be downloaded from the HPE Networking Support Portal.

https://networkingsupport.hpe.com/home;  

For more information about HPE Aruba Networking's End of Support 
policy visit: 
https://www.arubanetworks.com/support-services/end-of-life/ 
  
  
Workaround 
========== 
Vulnerability specific workarounds are listed per vulnerability 
above. You may contact HPE Services - Aruba Networking for any 
configuration assistance if needed. 
  
  
ClearPass Policy Manager Security Hardening 
=========================================== 
For general information on hardening ClearPass Policy Manager 
instances against security threats please see the ClearPass 
Policy Manager Hardening Guide. 
  
For ClearPass 6.12.x, the ClearPass Policy 
Manager Hardening guide is available at 
https://www.arubanetworks.com/techdocs/ClearPass/6.12/PolicyManager/Content/home.htm 
  
For ClearPass 6.11.x, the ClearPass Policy 
Manager Hardening Guide is available at 
https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/home.htm 
  
  
Exploitation and Public Discussion 
================================== 
HPE Aruba Networking is not aware of any public discussion or 
exploit code that targets these specific vulnerabilities as of 
the release date of the advisory. 
  
  
Revision History 
================ 
Revision 1 / 2024-Jul-30 Initial release 
  
  
HPE Aruba Networking SIRT Security Procedures 
============================== 
Complete information on reporting security vulnerabilities in HPE 
Aruba Networking products and obtaining assistance with security 
incidents is available at: 
 
  https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a 
00100637en_us   
 
For reporting *NEW* HPE Aruba Networking security issues, email 
can be sent to aruba-sirt(at)hpe.com. For sensitive information 
we encourage the use of PGP encryption. Our public keys can be 
found at: 
 
https://www.hpe.com/info/psrt-pgp-key 
 
(c) Copyright 2024 by Hewlett Packard Enterprise Development LP. 
This advisory may be redistributed freely after the release date 
given at the top of the text, provided that the redistributed 
copies are complete and unmodified, including all data and 
version information. 
-----BEGIN PGP SIGNATURE-----

iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAman6b0XHHNlY3VyaXR5
LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE64HBQwAjAKWo3iS0PUc0XZZt9s/WGL3
vO8e83F5uqa/Qk1shll1eBwWjDkwZJ5Lq0rQsrz03445vqOVQVX1FYGUJNhz7opH
tRj52gnR6AibcmsfqJX+vhRipfIayPK9bngqulQENY9h0BBX3CW/jNTt3LaxT7XR
HfIkaJWpzlAWzhl2zN36ejAcmB698joKEyFzJQg+aviYeZaHcoAzQYdvEGJ6zZxf
buJzy5UDRtD5DTGbJIdaQs8XT8daKxAgbJCH1wNYTMZ9MpVbg6nKUny4lMEX0L/0
R/1WtEuB0+9lWRb+cv89yAVPhWRb6pbyfbLLg29dm7Ys4UNof4THTQVOoTHYC1Dt
CYmvC/Zf9utH17aa6BLaRw9XvwOimWkWMg87oc0ryc14BUFj/rSpvwWHE8hdb+NN
X1v/xGB7ZcQs+i9RuqyQal4bPcaCSRgbun5cRbU/VanLtdVmD4/QE1hCPR1jkab2
alMFRM3alOc5Opr0PIE1uBenpkIRseKL4C77FXMG
=pRXt
-----END PGP SIGNATURE-----