1. Introduction
The Aruba ClearPass Policy Manager is affected by multiple vulnerabilities, specifically in the database server and web-based management interface. These issues could allow attackers to disclose sensitive information, cause denial of service attacks, bypass authentication, execute arbitrary commands, or inject malicious code. Systems running ClearPass Policy Manager versions 6.7, 6.8.9-HF2, 6.9.9, and 6.10.4 are typically affected. This could impact the confidentiality, integrity, and availability of network access control systems.
2. Technical Explanation
Multiple vulnerabilities exist in Aruba ClearPass Policy Manager due to flaws in its database server, Python libraries (Eventlet and Urllib), web-based management interface, and command line interface. An attacker could exploit these issues by sending crafted requests to the ClearPass Policy Manager, exploiting input validation errors, or leveraging existing authentication mechanisms. CVE-2021-21419 is a denial of service vulnerability in the Python Eventlet library. CVE-2021-33503 is a denial of service vulnerability in the Python Urllib library.
- Root cause: The vulnerabilities stem from insecure coding practices, including improper input validation, use of vulnerable libraries, and insufficient access controls.
- Exploit mechanism: Attackers can exploit these issues through web-based management interface requests, command line interactions, or by targeting the database server directly. For example, CVE-2022-23657 allows an unauthenticated attacker to bypass authentication via a flaw in SAML token handling.
- Scope: Affected versions include ClearPass Policy Manager 6.x.x < 6.8.9-HF2 and 6.9.x < 6.10.4.
3. Detection and Assessment
To confirm vulnerability, check the installed version of ClearPass Policy Manager. A thorough assessment involves reviewing logs for suspicious activity related to authentication attempts or command execution.
- Quick checks: Use the web interface or CLI to display the ClearPass Policy Manager version. For example, from the CLI use
show version. - Scanning: Nessus and other vulnerability scanners may identify these issues based on self-reported version numbers. However, manual verification is recommended.
- Logs and evidence: Check logs for failed authentication attempts, unusual command executions, or suspicious network activity. Relevant log files are typically located in /var/log/clearpass/.
show version4. Solution / Remediation Steps
4.1 Preparation
- Ensure you have access to Aruba support and download the latest patch from their website. A rollback plan involves restoring the pre-patch backup.
- A change window may be needed due to service interruption during patching. Approval should be obtained from relevant IT stakeholders.
4.2 Implementation
- Step 1: Download the latest ClearPass Policy Manager patch (HF3 or later) from the Aruba support portal.
- Step 2: Follow the vendor’s instructions to install the patch on your ClearPass Policy Manager instance. This typically involves uploading the patch file through the web interface and following the prompts.
4.3 Config or Code Example
Before
ClearPass Policy Manager Version: 6.9.x < 6.10.4After
ClearPass Policy Manager Version: 6.10.x or later (patched)4.4 Security Practices Relevant to This Vulnerability
- Least privilege: Restrict access to ClearPass Policy Manager command line interface and web-based management interface to only authorized personnel.
- Input validation: Implement strict input validation on all user-supplied data to prevent injection attacks.
- Patch cadence: Establish a regular patch management process to ensure timely application of security updates.
4.5 Automation (Optional)
Automation scripts for patching ClearPass Policy Manager are not commonly available due to the complexity of the system and vendor-specific requirements. Manual patching is generally recommended.
5. Verification / Validation
Verify that the patch has been applied successfully by checking the ClearPass Policy Manager version. Re-test authentication bypass attempts and command execution vulnerabilities to confirm they are no longer exploitable. Perform a basic service smoke test to ensure core functionality remains operational.
- Post-fix check: Use
show versionin the CLI or web interface to verify the ClearPass Policy Manager version is updated to HF3 or later. - Re-test: Attempt to exploit CVE-2022-23657 (authentication bypass) and confirm it fails.
- Smoke test: Verify that users can still authenticate successfully and access network resources through ClearPass.
show version6. Preventive Measures and Monitoring
- Baselines: Update security baselines to include the latest ClearPass Policy Manager configuration settings recommended by Aruba Networks.
- Asset and patch process: Maintain a regular patch review cycle for all network devices, including ClearPass Policy Manager.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Patch installation may cause temporary service interruption. Schedule patching during off-peak hours to minimize impact.
- Roll back: Restore the pre-patch backup of your ClearPass Policy Manager instance if any issues occur during patching.
8. References and Resources
- Vendor advisory or bulletin: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-007.txt
- NVD or CVE entry: CVE-2021-21419
- Product or platform documentation relevant to the fix: Aruba ClearPass Policy Manager Documentation.