MISC:https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-013.txt


Download: text/plain
Original: www.arubanetworks.com archive.org 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-013
CVE: CVE-2022-23685, CVE-2022-23692, CVE-2022-23693,
     CVE-2022-23694, CVE-2022-23695, CVE-2022-23696, 
     CVE-2022-37877, CVE-2022-37878, CVE-2022-37879, 
     CVE-2022-37880, CVE-2022-37881, CVE-2022-37882, 
     CVE-2022-37883, CVE-2022-37884
Publication Date: 2022-Sep-07
Status: Confirmed
Severity: High
Revision: 1


Title
=====
ClearPass Policy Manager Multiple Vulnerabilities


Overview
========
Aruba has released updates to ClearPass Policy Manager that
address multiple security vulnerabilities.


Affected Products
=================
These vulnerabilities affect ClearPass Policy Manager running the
following patch versions unless specifically noted otherwise in
the details section:

  - ClearPass Policy Manager 6.10.x: 6.10.6 and below
  - ClearPass Policy Manager 6.9.x:  6.9.11 and below

Updating ClearPass Policy Manager to a patch version listed in
the Resolution section at the end of this advisory will resolve
all issues in the details section.

Versions of ClearPass Policy Manager that are end of life are
affected by these vulnerabilities unless otherwise indicated.
Impacted customers should plan to migrate to a supported version.
Supported versions as of the release of this advisory are:

  - ClearPass Policy Manager 6.10.x
  - ClearPass Policy Manager 6.9.x


Details
=======
 
  Authenticated SQL Injection Vulnerabilities in ClearPass Policy
  Manager Web-based Management Interface
  (CVE-2022-23692, CVE-2022-23693, CVE-2022-23694
   CVE-2022-23695, CVE-2022-23696)
  ---------------------------------------------------------------------
    Vulnerabilities in the web-based management interface of
    ClearPass Policy Manager could allow an authenticated
    remote attacker to conduct SQL injection attacks against
    the ClearPass Policy Manager instance. An attacker could
    exploit these vulnerabilities to obtain and modify sensitive
    information in the underlying database potentially leading to
    complete compromise of the ClearPass Policy Manager cluster.

    Internal references: ATLCP-177, ATLCP-178, ATLCP-180
                         ATLCP-201, ATLCP-202
    Severity: High
    CVSSv3 Overall Score: 8.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered and reported
    by Luke Young (bugcrowd.com/bored-engineer) and Daniel Jensen
    (@dozernz) via Aruba's Bug Bounty Program


  Lack of Cross-Site Request Forgery (CSRF) Protections for some
  Endpoints in ClearPass Policy Manager
  (CVE-2022-23685)
  ---------------------------------------------------------------------
    A vulnerability in the ClearPass Policy Manager web-based
    management interface exists which exposes some endpoints to
    a lack of Cross-Site Request Forgery (CSRF) protection. This
    could allow a remote unauthenticated attacker to execute
    arbitrary input against these endpoints if the attacker can
    convince an authenticated user of the interface to interact
    with a specially crafted URL.

    Internal References: ATLCP-219
    Severity: High
    CVSSv3.x Overall Score: 8.1
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

    Discovery: This vulnerability was discovered and reported by
    the Aruba ClearPass Policy Manager Engineering Team.


  Local Privilege Escalation in ClearPass OnGuard macOS Agent
  (CVE-2022-37877)
  ---------------------------------------------------------------------
    A vulnerability in the ClearPass OnGuard macOS agent could
    allow malicious users on a macOS instance to elevate their
    user privileges. A successful exploit could allow these users
    to execute arbitrary code with root level privileges on the
    macOS instance.

    Internal references: ATLCP-205
    Severity: High
    CVSSv3 Overall Score: 8.0
    CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

    Discovery: This vulnerability was discovered and reported
    by Luke Young (bugcrowd.com/bored_engineer) via Aruba's Bug
    Bounty Program.


  Authenticated Remote Command Injection in ClearPass Policy
  Manager Web-Based Management Interface
  (CVE-2022-37878, CVE-2022-37879, CVE-2022-37880, 
   CVE-2022-37881, CVE-2022-37882, CVE-2022-37883)
  ---------------------------------------------------------------------
    Vulnerabilities in the ClearPass Policy Manager web-based
    management interface allow remote authenticated users to
    run arbitrary commands on the underlying host. A successful
    exploit could allow an attacker to execute arbitrary commands
    as root on the underlying operating system leading to
    complete system compromise.

    Internal References: ATLCP-166, ATLCP-179, ATLCP-183,
                         ATLCP-189, ATLCP-193, ATLCP-197
    Severity: High
    CVSSv3.x Overall Score: 7.2
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered and reported
    by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program.


  Unauthenticated Denial-of-Service Condition in ClearPass Policy
  Manager Guest User Interface
  (CVE-2022-37884)
  --------------------------------------------------------------------
    A vulnerability exists in the ClearPass Policy Manager Guest
    User Interface that can allow an unauthenticated attacker to
    send specific operations which result in a Denial-of-Service
    condition. A successful exploitation of this vulnerability
    results in the unavailability of the guest interface.
    
    Internal Reference: ATLCP-167
    Severity: Medium
    CVSSv3.x Overall Score: 5.3
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

    Discovery: This vulnerability was discovered and reported by
    Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program.


Resolution
==========
The vulnerabilities contained in this advisory can be addressed
by patching or upgrading to one of the ClearPass Policy Manager
versions listed below

  - ClearPass Policy Manager 6.10.x: 6.10.7 and above
  - ClearPass Policy Manager 6.9.x:  6.9.12 and above

Aruba does not evaluate or patch ClearPass Policy Manager
versions that have reached their End of Support (EoS) milestone.
For more information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/


Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, Aruba recommends that the CLI and web-based
management interfaces for ClearPass Policy Manager be restricted
to a dedicated layer 2 segment/VLAN and/or controlled by firewall
policies at layer 3 and above


ClearPass Policy Manager Security Hardening
===========================================
For general information on hardening ClearPass Policy
Manager instances against security threats please see the
ClearPass Policy Manager Hardening Guide available at
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en_us
for ClearPass Policy Manager 6.9.x and earlier versions.

For ClearPass 6.10.x the ClearPass Policy
Manager Hardening Guide is available at
https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm


Exploitation and Public Discussion
==================================
Aruba is not aware of any public discussion or exploit code that
target these specific vulnerabilities as of the release date of
the advisory.


Revision History
================
Revision 1 / 2022-Sep-07 / Initial release


Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in
Aruba Networks products and obtaining assistance with security
incidents is available at:

https://www.arubanetworks.com/support-services/security-bulletins/


For reporting *NEW* Aruba Networks security issues, email can
be sent to aruba-sirt(at)hpe.com. For sensitive information we
encourage the use of PGP encryption. Our public keys can be found
at:

https://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise
company. This advisory may be redistributed freely after the
release date given at the top of the text, provided that the
redistributed copies are complete and unmodified, including all
data and version information.
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmMHgBgXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtk4RwgAh3LkQyH3a1MC+/oN2s7L1A/J
5HJA5Sj4Rp7YEYRFIOsW6+MzvdWiJyooP9KwjK3mXdlAVxxQQG4kmx+KWTAJKxYq
MntGikHQsoe/xcc9pqVRINIHpjofipaK6zYwPJNC8cBi8IgabGW/eD9nsDloi3mJ
up+IeAMtN1af0O7/UB8bPWp0bFPYuSYUz6RGSKIfAoDRAwnbD5BRynUFhG+eunOT
AtpZTz+9a7k3EpFrniQckJQci4w/T+TDL/HOS9suv1PPZFuQALyRPtScZGHTV4b6
/7cuqsOZcwld8Xy9UkpPUdWofoD5kY0aKp6cTfjn7ZMKY0/x8NG6UDDFBbcv8Q==
=R1LV
-----END PGP SIGNATURE-----
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report