==================================================================== CERT-Renater Note d'Information No. 2020/VULN213 _____________________________________________________________________ DATE : 17/04/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Aruba ClearPass versions 6.8.x, 6.7.x prior to 6.8.4, 6.7.13. ===================================================================== https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-004.txt _____________________________________________________________________ Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2020-004 CVE: CVE-2020-7110, CVE-2020-7111, CVE-2020-7113, CVE-2020-7114 Publication Date: 2020-Apr-14 Status: Confirmed Revision: 2 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= ClearPass 6.8.x prior to 6.8.4 ClearPass 6.7.x prior to 6.7.13 Details ======= Authentication Bypass leads to database changes (CVE-2020-7114) --------------------------------------------------------------------- A vulnerability exists allowing attackers, when present in the same network segment as ClearPass' management interface, to make changes to certain databases in ClearPass by crafting HTTP packets. As a result of this attack, a possible complete cluster compromise might occur. Internal references: ATLCP-49, ATLCP-70 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (@TheBoredEng), via Aruba's Bug Bounty program. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher Authenticated Remote Code Execution (CVE-2020-7111) --------------------------------------------------------------------- A server side injection vulnerability exists which could allow an authenticated administrative user to achieve Remote Code Execution in ClearPass. Internal reference: ATLCP-50 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (@TheBoredEng), via Aruba's Bug Bounty program. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher Authenticated Stored Cross Site Scripting (CVE-2020-7110) --------------------------------------------------------------------- ClearPass is vulnerable to Stored Cross Site Scripting by allowing a malicious administrator, or a compromised administrator account, to save malicious scripts within ClearPass that could be executed resulting in a privilege escalation attack. Internal reference: ATLCP-52, ATLCP-53, ATLCP-54, ATLCP-55 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Sathish (@s4thi5h), via Aruba's Bug Bounty program. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher Information Disclosure by changing HTTP parameters (CVE-2020-7113) --------------------------------------------------------------------- A vulnerability was found when an attacker, while communicating with the ClearPass management interface, is able to intercept and change parameters in the HTTP packets resulting in the compromise of some of ClearPass' service accounts. Internal reference: ATLCP-40 Severity: Medium CVSSv3 Overall Score: 4.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Darrell Damstedt (@hateshape), via Aruba's Bug Bounty program. Resolution: Fixed in 6.7.10, 6.8.1, 6.9.0 and higher Resolution ========== 1. Upgrade ClearPass Policy Manager 6.8.x to version 6.8.4 2. Upgrade ClearPass Policy Manager 6.7.x to version 6.7.13 Workarounds =========== None. As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >> Network >> Restrict Access and only allowing non-public or network management networks. Revision History ================ Revision 1 / 2020-Apr-14 / Initial release Revision 2 / 2020-Apr-14 / Changed affected 6.8.x version and resolution Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================