Aruba Networks ClearPass Policy Manager SQL Injection and Credential Disclosure

2014.07.18
Credit: Nate Roberts from Wipfli LLP in June
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-4031
CWE: CWE-200


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Advisory Number 07032014 CVE-2014-4013 - SQL Injection vulnerability in ClearPass Policy Manager CVE-2014-4031 - Credential Disclosure vulnerability in ClearPass Policy Manager TITLE SQL Injection and Credential Disclosure Vulnerability in Aruba Networks ClearPass Policy Manager SUMMARY SQL Injection and Credential Disclosure vulnerabilities have been discovered in Aruba Networks ClearPass Policy Manager. This advisory describes ClearPass' exposure to these vulnerabilities. AFFECTED VERSIONS - -- ClearPass 5.X, 6.0.X, 6.1.X, 6.2.X, 6.3.X DETAILS An attacker with access to ClearPass Policy Manager's web interface can inject SQL commands using a carefully crafted request. In addition, such an attacker can force the disclosure of credentials used to access the ClearPass Policy Manager database(s). The attacker must have valid credentials to access ClearPass Policy Manager, although an administrator-level login is not necessary. DISCOVERY These vulnerabilities were discovered by Nate Roberts from Wipfli LLP in June, 2014. Aruba Networks would like to thank Nate for his assistance. IMPACT The attacker can discover credentials used to access ClearPass Policy Manager, as well as discover additional information about the system such as the version number of ClearPass' database engine. Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This rating system is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. CVE-2014-4013: CVSS v2 Base Score: 4.9 (MEDIUM) (AV:A/AC:M/Au:S/C:P/I:P/A:P) CVE-2014-4031: CVSS v2 Base Score: 5.5 (MEDIUM) (AV:A/AC:H/Au:S/C:P/I:P/A:C) MITIGATION Aruba Networks recommends that all customers use access control methods such as network-level ACLs to restrict access to the ClearPass Policy Manager UI. If using ClearPass 6.1.0 and above, Aruba recommends that customers use Access Control options available within the ClearPass administration interface to permit access to ClearPass Policy Manager from secure network locations only. SOLUTION Aruba Networks recommends that all customers running either of the below 6.1.X or 6.2.X versions apply the corresponding Security Patch released July 2014, as soon as practical. - ClearPass 6.1.4.55458, 6.1.4.61696, or - ClearPass 6.2.6.62196. Customers running either of the below 6.3.X versions apply the 6.3.4 (Cumulative Patch 4 released July 2014), as soon as practical. - ClearPass 6.3.0.60537, or 6.3.0.60730 or 6.3.0.61712, or - ClearPass 6.3.1.62009, or - ClearPass 6.3.2.63239, and - ClearPass 6.3.3.63748 Customers running ClearPass versions prior to 6.1 are urged to upgrade to ClearPass Policy Manager 6.1.4 as soon as practical. +---------------------------------------------------- OBTAINING FIXED SOFTWARE Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. STATUS OF THIS NOTICE: Preliminary Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-07032014.txt Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 07-03-2014 / Initial release ARUBA SIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2014 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.

References:

http://www.arubanetworks.com/support/alerts/aid-07032014.txt
http://secunia.com/advisories/58936


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top