Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-009 CVE: CVE-2020-7123, CVE-2021-29138, CVE-2021-29139, CVE-2021-29140, CVE-2021-29141, CVE-2021-29142, CVE-2021-29144, CVE-2021-29145, CVE-2021-29146, CVE-2021-29147 Publication Date: 2021-Apr-20 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= ClearPass Policy Manager Affected versions: Not all vulnerabilities in this advisory affect all ClearPass branches. Check the details section for exact version information. Details ======= Unauthenticated Server Side Request Forgery (SSRF) leading to Remote Code Execution (CVE-2021-29145) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass could allow an unauthenticated remote attacker to conduct a server side request forgery (SSRF) attack. A successful exploit allows an attacker to execute arbitrary code on the ClearPass host, leading to total cluster compromise. Internal references: ATLCP-84 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored_engineer) via Aruba's Bug Bounty Program. Affected Versions: - ClearPass 6.9.x: prior to 6.9.1 - ClearPass 6.8.x: prior to 6.8.6 - ClearPass 6.7.x: prior to 6.7.14 Resolved Versions: - ClearPass 6.9.x: 6.9.1 and above - ClearPass 6.8.x: 6.8.6 and above - ClearPass 6.7.x: 6.7.14 and above Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in ClearPass Web Administration Interface (CVE-2021-29139, CVE-2021-29142, CVE-2021-29146) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of ClearPass could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal references: ATLCP-66, ATLCP-103, ATLCP-122 Severity: High CVSSv3 Overall Score: 8.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz), and khoiasd (bugcrowd.com/khoiasd) via Aruba's Bug Bounty Program Affected Versions: - ClearPass 6.9.x: prior to 6.9.5 - ClearPass 6.8.x: prior to 6.8.9 - ClearPass 6.7.x: prior to 6.7.14-HF1 Resolved Versions: - ClearPass 6.9.x: 6.9.5 and above - ClearPass 6.8.x: 6.8.9 and above - ClearPass 6.7.x: 6.7.14-HF1 and above Unauthenticated XML External Entities (XXE) Attack in ClearPass Web Administration Interface (CVE-2021-29140) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass could allow an unauthenticated remote attacker to conduct a XML External Entities attack (XXE). A successful exploit allows an attacker to read arbitrary files off of the underlying host file system. This vulnerability can also be exploited to cause a denial of service condition whereby legitimate users are not able to access or use the web management interface. Internal references: ATLCP-61 Severity: Medium CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Affected Versions: - ClearPass 6.8.x: prior to 6.8.4 - ClearPass 6.7.x: prior to 6.7.13 Resolved Versions: - ClearPass 6.8.x: 6.8.4 and above - ClearPass 6.7.x: 6.7.13 and above Note: ClearPass 6.9.0 and above are not affected Privilege Escalation in ClearPass OnGuard (CVE-2020-7123) --------------------------------------------------------------------- A vulnerability in ClearPass OnGuard could allow local authenticated users on a Windows platform to elevate their privileges. A successful exploit could allow an attacker to execute arbitrary code with SYSTEM level privileges. Internal references: ATLCP-74 Severity: High CVSSv3 Overall Score: 7.8 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Xavier Danest via Aruba's Bug Bounty Program. Affected Versions: - ClearPass 6.8.x: prior to 6.8.5 - ClearPass 6.7.x: prior to 6.7.12 Resolved Versions: - ClearPass 6.8.x: 6.8.5 and above - ClearPass 6.7.x: 6.7.12 and above Note: ClearPass 6.9.0 and above are not affected Authenticated Information Disclosure in ClearPass Web Administration Interface (CVE-2021-29138) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass could allow an authenticated remote attacker to retrieve cluster credentials and thereby escalate privileges. A successful exploit allows an attacker to retrieve cluster credentials and authenticate as a higher privileged user. Internal references: ATLCP-41 Severity: High CVSSv3 Overall Score: 7.6 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported by hateshape (bugcrowd.com/hateshape) via Aruba's Bug Bounty Program. Affected Versions: - ClearPass 6.8.x: prior to 6.8.1 - ClearPass 6.7.x: prior to 6.7.5 Resolved Versions: - ClearPass 6.8.x: 6.8.1 and above - ClearPass 6.7.x: 6.7.5 and above Note: ClearPass 6.9.0 and above are not affected Authenticated Command Injection via TACACS+ (CVE-2021-29147) --------------------------------------------------------------------- ClearPass is able to act as a TACACS+ server for network devices. An authenticated command injection vulnerability exists in the ClearPass TACACS+ implementation. Successful exploitation allows an authenticated attacker to execute operating system commands. Internal references: ATLCP-116 Severity: High CVSSv3 Overall Score: 7.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Affected Versions: - ClearPass 6.9.x: prior to 6.9.4 - ClearPass 6.8.x: prior to 6.8.8 - ClearPass 6.7.x: prior to 6.7.14-HF1 Resolved Versions: - ClearPass 6.9.x: 6.9.4 and above - ClearPass 6.8.x: 6.8.8 and above - ClearPass 6.7.x: 6.7.14-HF1 and above Authenticated Retrieval of Sensitive Information in ClearPass Web Administration Interface (CVE-2021-29141, CVE-2021-29144) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass could allow a low privileged authenticated remote attacker to retrieve sensitive information that only a higher privileged user should have access to. A successful exploit allows an attacker to retrieve information they would not normally have access to. Internal references: ATLCP-64, ATLCP-79 Severity: High CVSSv3 Overall Score: 7.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Discovery: This vulnerability was discovered and reported by S4thi5h (bugcrowd.com/S4thi5h) via Aruba's Bug Bounty Program. Affected Versions: - ClearPass 6.8.x: prior to 6.8.5 - ClearPass 6.7.x: prior to 6.7.14 Resolved Versions: - ClearPass 6.8.x: 6.8.5 and above - ClearPass 6.7.x: 6.7.14 and above Note: ClearPass 6.9.0 and above are not affected Resolution ========== The vulnerabilities contained in this advisory can be addressed by applying the patch versions listed below: - - ClearPass 6.9.x: 6.9.5 and above - - ClearPass 6.8.x: 6.8.9 and above - - ClearPass 6.7.x: 6.7.14-HF1 and above Workaround ========== To minimize the likelihood of an attacker exploiting some of these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. ClearPass Security Hardening ============================ For general information on hardening ClearPass instances against security threats please see the ClearPass Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en_us Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code related to these issues. Revision History ================ Revision 1 / 2021-Apr-20 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.