Aruba ClearPass Policy Manager <= 6.x.x < 6.8.9-HF2 / 6.9.x < 6.9.9 / 6.10.x < 6.10.4 Multiple Vulnerabilities

critical Nessus Plugin ID 161701

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

The version of Aruba ClearPass Policy Manager installed on the remote host is prior or equal to 6.7, 6.8.9-HF2, 6.9.9, 6.10.4. It is, therefore, affected by multiple vulnerabilities as referenced in the ARUBA-PSA-2022-007 advisory.

- An information disclosure vulnerability exists in the web-based management interface of ClearPass Policy Manager.
An authenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2022-23670)

- A denial of service (DoS) vulnerability exists in the Python Eventlet library used by ClearPass Policy Manager. An unauthenticated, remote attacker can exploit this issue, via WebSocket peer to exhaust memory reserved by Eventlet inside of ClearPass Policy Manager, to cause the process to stop responding. (CVE-2021-21419)

- A denial of service (DoS) vulnerability exists in Python Urllib library used by ClearPass Policy Manager. An authenticated, remote attacker can exploit this issue, via the web-based management, to cause the application to stop responding. (CVE-2021-33503)

- An authentication bypass vulnerability exists in web-based management interface of ClearPass Policy Manager. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary actions with root privileges. (CVE-2022-23657, CVE-2022-23658, CVE-2022-23660)

- A reflected cross-site scripting (XSS) vulnerability exists in the web-based management interface of ClearPass Policy Manager due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2022-23659)

- A command injection vulnerability exists in the ClearPass Policy Manager command line interface. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23661, CVE-2022-23662)

- A command injection vulnerability exists in the ClearPass Policy Manager web-based management interface. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23663, CVE-2022-23664, CVE-2022-23666, CVE-2022-23672, CVE-2022-23673)

- A command injection vulnerability exists in Aruba ClearPass Policy Manager. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23665)

- A command injection vulnerability exists in the ClearPass Policy Manager command line interface. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23667)

- A Server Side Request Forgery (SSRF) vulnerability exists in the web-based management interface of ClearPass Policy Manager due to improper validation of session & user-accessible input data. The insecure processing of the input by the vulnerable application server allows an unauthenticated, remote attacker the ability to exploit this by sending a specially crafted message to the server to create a trusted remote session with a malicious external target.
(CVE-2022-23668)

- An authentication bypass vulnerability exists in ClearPass Policy Manager due to the handling of SAML token expiration.
An authenticated, remote attacker can exploit this, via possession of a valid token to reuse the token after session expiration, to bypass authentication and execute arbitrary actions with user privileges. (CVE-2022-23669)

- An information disclosure vulnerability exists in ClearPass Policy Manager cluster network position. An authenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2022-23671)

- A authenticated stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of ClearPass Policy Manager due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2022-23674, CVE-2022-23675)


Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Please see vendor advisory

See Also

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-007.txt

Plugin Details

Severity: Critical

ID: 161701

File Name: aruba_clearpass_polman_6_10_4.nasl

Version: 1.4

Type: local

Family: Misc.

Published: 5/31/2022

Updated: 6/1/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.1

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-23660

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:arubanetworks:clearpass

Required KB Items: Host/Aruba_Clearpass_Policy_Manager/version

Exploit Ease: No known exploits are available

Patch Publication Date: 5/4/2022

Vulnerability Publication Date: 5/4/2022

Reference Information

CVE: CVE-2021-21419, CVE-2021-33503, CVE-2022-23657, CVE-2022-23658, CVE-2022-23659, CVE-2022-23660, CVE-2022-23661, CVE-2022-23662, CVE-2022-23663, CVE-2022-23664, CVE-2022-23665, CVE-2022-23666, CVE-2022-23667, CVE-2022-23668, CVE-2022-23669, CVE-2022-23670, CVE-2022-23671, CVE-2022-23672, CVE-2022-23673, CVE-2022-23674, CVE-2022-23675