-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04761 CVE: CVE-2024-51771, CVE-2024-51772, CVE-2024-51773, CVE-2024-53672 Publication Date: 2024-Dec-03 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking ClearPass Policy Manager Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for HPE Aruba Networking ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect HPE Aruba Networking ClearPass Policy Manager running the following software versions unless specifically noted otherwise in the details section: - HPE Aruba Networking ClearPass Policy Manager 6.12.x: 6.12.2 and below - HPE Aruba Networking ClearPass Policy Manager 6.11.x: 6.11.9 and below Versions of HPE Aruba Networking ClearPass Policy Manager that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products ================= Any other supported HPE Aruba Networking products not specifically listed above are not affected by these vulnerabilities. Details ====== Authenticated Remote Code Execution (RCE) via OGNL Injection in HPE Aruba Networking ClearPass Web-Based Management Interface (CVE-2024-51771) --------------------------------------------------------------------- A vulnerability in the HPE Aruba Networking ClearPass Policy Manager web-based management interface could allow an authenticated remote threat actor to conduct a remote code execution attack. Successful exploitation could enable the attacker to run arbitrary commands on the underlying operating system. Internal References: ATLCP-267 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Deserialization Vulnerability in ClearPass Policy Manager Web-Based Management Interface Leading to a Remote Command Execution (RCE) (CVE-2024-51772) --------------------------------------------------------------------- An authenticated RCE vulnerability in the ClearPass Policy Manager web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. Internal References: ATLCP-263 Severity: Medium CVSSv3.x Overall Score: 6.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/ VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Stored Cross-Site Scripting (XSS) in HPE Aruba Networking ClearPass Policy Manager Web-based Management Interface (CVE-2024-51773) --------------------------------------------------------------------- A vulnerability in the HPE Aruba Networking ClearPass Policy Manager web-based management interface could allow an authenticated remote Attacker to conduct a stored cross-site scripting (XSS) attack. Successful exploitation could enable a threat actor to perform any actions the user is authorized to do, including accessing the user's data and altering information within the user's permissions. This could lead to data modification, deletion, or theft, including unauthorized access to files, file deletion, or the theft of session cookies, which an attacker could use to hijack a user's session. Internal References: ATLCP-262 Severity: Medium CVSSv3.x Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Pear1y via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface (CVE-2024-53672) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system. Internal References: ATLCP-258 Severity: Medium CVSSv3.x Overall Score: 4.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/ VLAN and/or controlled by firewall policies at layer 3 and above. Resolution ========== Upgrade HPE Aruba Networking ClearPass Policy Manager to one of the Following versions with the fixes to resolve all issues noted in the details section. - HPE Aruba Networking ClearPass Policy Manager 6.12.x: 6.12.3 and above - HPE Aruba Networking ClearPass Policy Manager 6.11.x: 6.11.10 and above Software versions with resolution/fixes for the vulnerabilities covered above, can be downloaded from the HPE Networking Support Portal: https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch HPE Aruba Networking ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - HPE Aruba Networking ClearPass Policy Manager 6.12.x - HPE Aruba Networking ClearPass Policy Manager 6.11.x For more information about HPE Aruba Networking's End of Support Life policy, please visit: https://networkingsupport.hpe.com/notifications Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for any configuration assistance, as needed. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that targets these specific vulnerabilities as of the release date of the advisory. HPE Aruba Networking ClearPass Policy Manager Security Hardening =========================================== For general information on hardening HPE Aruba Networking ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide. For ClearPass 6.12.x, the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.12/PolicyManager/Content/home.htm For ClearPass 6.11.x, the ClearPass Policy Manager Hardening guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/home.htm Revision History ================ Revision 1 / 2024-Dec-03 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP.This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmc/hU0XHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE67qsQv/eRwWxzB+cnej4FGv/EBugJIE 3Ov1hQbUf3T1168Kn0L3CSUvqGI4B/LEbOexSw4FGnDh19rGfsSH6kbeRehO4zPF MGaiaFpJtxyNurWZ4cu4Ei5iRx72OLwzhIqDoepWbm7VCdj3zFf7Kya0Vov83wEa Ca2yaItZJtUaL64Xj5CQHq/qDWdB29ralQLn1eYO0cUWGrxJaacMg7JmzxAlvaJL BgLW+kjq6SjjpGN7nRT20y3XRD/G8xlbkwG5vxQkT7vaFQvIRsPftEkfDMoSGeh3 3NYv421Dqwjp9X8Od8fb3HHZg/q548rOI9jnyecvFqExBXBvigT0GAeP5OQfBPgL 9TnRdSJGpXWpjZPFzvUb1JjIUqZQBqvSLlV4fuy+ul9X6UaYH38QDF/bcRw0Ip2i /3Juh9BBBc73H9LKzWjHDXOz7Cfv9njTyf4lCwZp+5uEwT40OeMagOId/1hs3y85 6MZjKbUSScskGWS2691X4ZmcN2dfA7JrzwMAaeRh =NGgV -----END PGP SIGNATURE-----