Home > ClearPass Policy Manager Multiple Vulnerabilities
Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2018-007
CVE: CVE-2018-7063, CVE-2018-7065, CVE-2018-7066, CVE-2018-7067, CVE-2018-7079 Publication Date: 2018-Nov-7
Status: Confirmed
Revision: 1
Title
=====
ClearPass Policy Manager Multiple Vulnerabilities
Overview
========
Aruba has released an update to ClearPass Policy Manager that addresses multiple security vulnerabilities.
Affected Products
=================
ClearPass 6.7.x prior to 6.7.6
ClearPass 6.6.10 and earlier without hotfix applied
Details
=======
Disabled API admins can still perform read/write operations (CVE-2018-7063)
---------------------------------------------------------------------
In certain circumstances, API admins in ClearPass which have been disabled
may still be able to perform read/write operations on parts of the XML API.
This can lead to unauthorized access to the API and complete compromise
of the ClearPass instance if an attacker knows of the existence of these
accounts.
Severity: Critical
CVSSv3 Overall Score: 9.6
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Workaround: Changing account passwords after disabling them prevents this issue.
Discovery: This vulnerability was discovered and reported by
William Rogers of L3 Technologies.
Resolution: Fixed in 6.7.3 and 6.6.10
Authenticated SQL injection can lead to privilege escalation (CVE-2018-7065)
-------------------------------------------------------------------
All versions of ClearPass are affected by multiple authenticated SQL
injection vulnerabilities. In each case, an authenticated administrative
user of any type could exploit this vulnerability to gain access to
"appadmin" credentials, leading to complete cluster compromise.
Severity: HIGH
CVSSv3 Overall Score: 7.2
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng)
and reported through the Bugcrowd managed bug bounty program.
Resolution: Fixed in 6.7.6 and 6.6.10-hotfix
Unauthenticated remote command execution on linked devices (CVE-2018-7066)
------------------------------------------------------------
The ClearPass OnConnect feature permits administrators to link other
network devices into ClearPass for the purpose of collecting enhanced
information about connected endpoints. A defect in the API could allow
an attacker to execute arbitrary commands on one of the linked devices.
This vulnerability is only applicable if credentials for devices have
been supplied to ClearPass under Configuration -> Network -> Devices ->
CLI Settings.
Severity: CRITICAL
CVSSv3 Overall Score: 9.0
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng)
and reported through the Bugcrowd managed bug bounty program.
Resolution: Fixed in 6.7.5 and 6.6.10-hotfix
Authentication bypass leads to complete cluster compromise (CVE-2018-7067)
---------------------------------------------------------------------
An authentication flaw in all versions of ClearPass could allow an attacker
to compromise the entire cluster through a specially crafted API call.
Network access to the administrative web interface is required to
exploit this vulnerability.
Severity: CRITICAL
CVSSv3 Overall Score: 10.0
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng)
and reported through the Bugcrowd managed bug bounty program.
Resolution: Fixed in 6.7.6 and 6.6.10-hotfix
ClearPass Guest Authorization Failure (CVE-2018-7079)
-------------------------------------------------------------------
Certain administrative operations in ClearPass Guest do not properly
enforce authorization rules, which allows any authenticated administrative
user to execute those operations regardless of privilege level. This could
allow low-privilege users to view, modify, or delete guest users.
Severity: HIGH
CVSSv3 Overall Score: 7.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng)
and reported through the Bugcrowd managed bug bounty program.
Resolution: Fixed in 6.7.6 and 6.6.10-hotfix
Resolution
==========
6.6.10 hotfix.
Workarounds
===========
None.
As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> <Server-Name> >> Network >> Restrict Access and only allowing non-public or network management networks.
Revision History
================
Revision 1 / 2018-Nov-7 / Initial release
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at:
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:
http://www.arubanetworks.com/support-services/security-bulletins/
(c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company.
This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.