-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04784 CVE: CVE-2025-23058, CVE-2024-7348, CVE-2025-23059, CVE-2025-23060, CVE-2025-25039 Publication Date: 2025-Feb-04 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking ClearPass Policy Manager (CPPM) Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released updates to the ClearPass Policy Manager (CPPM) to address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect HPE Aruba Networking ClearPass Policy Manager running the following software versions unless specifically noted otherwise in the details section: HPE Aruba Networking ClearPass Policy Manager - 6.12.x: 6.12.3 and below - 6.11.x: 6.11.9 and below Versions of HPE Aruba Networking ClearPass Policy Manager that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other HPE Aruba Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Authenticated Broken Access Control Vulnerability in ClearPass Policy Manager Web-Based Management Interface (CVE-2025-23058) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager web-based management interface allows a low-privileged (read-only) authenticated remote attacker to gain unauthorized access to data and the ability to execute functions that should be restricted to administrators only with read/write privileges. Successful exploitation could enable a low-privileged user to execute administrative functions leading to an escalation of privileges. Internal References: ATLCP-283 Severity: High CVSS v3.1 Base Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by ING Bank. Workaround: Temporarily disable read-only (ro) access to ClearPass Policy Manager until the upgrade to the fixed version is complete. PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348) --------------------------------------------------------------------- Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. Internal References: ATLCP-284 Severity: High CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Noah Misch through the security team of PostgreSQL Project. Please note this CVE was originally disclosed at https://www.postgresql.org/support/security/CVE-2024-7348/ Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Sensitive Information Disclosure in HPE Aruba Networking ClearPass Policy Manager (CVE-2025-23059) --------------------------------------------------------------------- A vulnerability in the web-based management interface of HPE Aruba Networking ClearPass Policy Manager exposes directories containing sensitive information. If exploited successfully, this vulnerability allows an authenticated remote attacker with high privileges to access and retrieve sensitive data, potentially compromising the integrity and security of the entire system. Internal References: ATLCP-286 Severity: Medium CVSS v3.1 Base Score: 6.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by the Federal Aviation Administration. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Sensitive Data Exposure Vulnerability in HPE Aruba Networking ClearPass Policy Manager (CPPM) (CVE-2025-23060) --------------------------------------------------------------------- A vulnerability in HPE Aruba Networking ClearPass Policy Manager may, under certain circumstances, expose sensitive unencrypted information. Exploiting this vulnerability could allow an attacker to perform a man-in-the-middle attack, potentially granting unauthorized access to network resources as well as enabling data tampering. Internal References: ATLCP-287 Severity: Medium CVSS v3.1 Base Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was internally discovered and reported by the QA team of HPE Aruba Networking. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Remote Command Injection in HPE Aruba Networking ClearPass Policy Manager Web-Based Management Interface (CVE-2025-25039) --------------------------------------------------------------------- A vulnerability in the web-based management interface of HPE Aruba Networking ClearPass Policy Manager (CPPM) allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system. Internal References: ATLCP-249 Severity: Medium CVSS v3.1 Base Score: 4.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Resolution ========== Upgrade HPE Aruba Networking ClearPass Policy Manager to one of the following versions with the fixes to resolve all issues noted in the details section. HPE Aruba Networking ClearPass Policy Manager - 6.12.x: 6.12.4 and above - 6.11.x: 6.11.10 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/downloads;fileTypes=SOFTWARE. Supported versions as of the publication date of this advisory are: - HPE Aruba Networking ClearPass Policy Manager 6.12.x - HPE Aruba Networking ClearPass Policy Manager 6.11.x HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking End of Life policy please visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for any configuration assistance if needed. HPE Aruba Networking ClearPass Policy Manager Security Hardening =========================================== For general information on hardening HPE Aruba Networking ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide. HPE Aruba Networking ClearPass Policy Manager Hardening Guides - For the 6.12.x branch, the Hardening Guide is available at https://arubanetworking.hpe.com/techdocs/ClearPass/6.12/PolicyManager/Content/Hardening/Introduction.htm - For the 6.11.x branch, the Hardening Guide is available at: https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/Hardening/Introduction.htm Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that targets these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2025-Feb-04 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmedRgEXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66AUAwAieEEq1gwe8wjtVIKUrS8LIw9 tVPAytPsRUWS8/7YtwmQP8CFpI5FnAUuaSfsVtGY4b2JoXNhCmXU3k8+E9bie4vx hkMx/kR7zPlNgdGZwwsXhcwMx+wlOn0uwrn4+OGHaHhd24KZMtgoZIr0cqxMkCFv U64EMOQcyBnF0FdI7wn3oqjOjD/XW54JSqTOF50g/4RfMF/p4w6XAquyoRBi0pcX hBkehP5nhS4GSbw1CmmR56S02d3Y1bdq7JXwYvdVPD10sl23nK6SRihADjMrRGdT cguGpxJ1RYIHW1Vk3VQ11c42OOKNKovlrvcughtQywjgHbxQdt7pBhIYriXAE8ED VhXUagFtQMaXTFHFvgcmZWzrefRh2/cMNa0WUfUnED17O3lRQewjqFsIzFGCqjlE 2vzvDoNNec4+QZHc/rbrbTtOMMojg4+B5Kz7aOuQ0/PIC0vs84rp02+U3Goy/edT valC8LyC3QHTW78pYszC3g0yZAC9PIuuNIT88aO2 =2TOw -----END PGP SIGNATURE-----