Home > ClearPass Policy Manager Multiple Vulnerabilities
Aruba - ClearPass Policy Manager Multiple Vulnerabilities
Aruba has released an update to ClearPass Policy Manager that addresses four security vulnerabilities.
Content
Affected Products
ClearPass 6.6.x prior to 6.6.9
ClearPass 6.7.x prior to 6.7.2
Details
Authentication bypass can lead to server compromise (CVE-2018-7058)
-------------------------------------------------------------------
All versions of ClearPass 6.6.x prior to 6.6.9 are affected by an
authentication bypass vulnerability. An unauthenticated attacker
can leverage this vulnerability to gain administrator privileges
on the system. The vulnerability is exposed only on ClearPass web
interfaces, including administrative, guest captive portal, and API.
Customers who do not expose ClearPass web interfaces to untrusted
users are impacted to a lesser extent.
Severity: CRITICAL
CVSSv3 Overall Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng)
and reported through the BugCrowd managed bug bounty program.
Resolution: Fixed in 6.6.9 and 6.7.0.
Authenticated disclosure of cluster password (CVE-2018-7059)
------------------------------------------------------------
This vulnerability is only present when authenticated as a user
with "mon" permission.
ClearPass prior to 6.6.9 has a vulnerability in the API that helps
to coordinate cluster actions. An authenticated user with the 'mon'
permission could use this vulnerability to obtain cluster credentials
which could allow privilege escalation.
Severity: HIGH
CVSSv3 Overall Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng)
and reported through the BugCrowd managed bug bounty program.
Resolution: Fixed in 6.6.9 and 6.7.0.
Authenticated sessions are vulnerable to CSRF attacks (CVE-2018-7060)
---------------------------------------------------------------------
ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable
to CSRF attacks against authenticated users. An attacker could manipulate
an authenticated user into performing actions on the web administrative interface.
Severity: MEDIUM
CVSSv3 Overall Score: 6.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Resolution: Fixed in 6.6.9 and 6.7.1.
Authenticated user can gain access as different user (CVE-2018-0489)
--------------------------------------------------------------------
ClearPass includes a third-party implementation of SAML that can allow an
attacker with authenticated access to trick SAML systems into authenticating
as a different user without knowledge of the victim user's password. This
vulnerability is only present if ClearPass SAML features are enabled under
Configuration->Identity-Single Sign-On (SSO).
The vulnerability affects all versions of ClearPass prior to 6.6.9 that have
not applied 'ClearPass 6.6.9 Hotfix Patch for CVE-2018-0489', and ClearPass
6.7.x prior to 6.7.2. This vulnerability affects all uses of SAML within
ClearPass, including:
- Administrative logins to Policy Manager, Guest and Insight.
- Onboard device provisioning portals
- Guest Operator Login to Guest and Onboard applications.
- Aruba Auto Sign-On (ASO)
Severity: HIGH
CVSSv3 Overall Score: 8.2
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Resolution
1. If running any of the prior 6.6.x versions, upgrade ClearPass Policy
Manager to version 6.6.9 and then install the 'ClearPass 6.6.9 Hotfix
Patch for CVE-2018-0489'. Note: Version 6.6.9 also contains fixes for
CVE-2017-9001 and CVE-2017-5708 which were previously announced.
2. If running ClearPass Policy Manager 6.7.0 or 6.7.1, upgrade to version
6.7.2.
Workarounds
None.
As a standard best practice, Aruba recommends that ClearPass administrators
restrict access to the Policy Manager Admin Web Interface. This can
be accomplished by navigating to Administration >> Server Manager >>
Server Configuration >> <Server-Name> >> Network >> Restrict Access
and only allowing non-public or network management networks.