Advisory Number 07032014
CVE-2014-4013 - SQL Injection vulnerability in ClearPass Policy Manager
CVE-2014-4031 - Credential Disclosure vulnerability in ClearPass Policy Manager
TITLE
SQL Injection and Credential Disclosure Vulnerability in Aruba Networks ClearPass Policy Manager
SUMMARY
SQL Injection and Credential Disclosure vulnerabilities have been discovered in
Aruba Networks ClearPass Policy Manager. This advisory describes ClearPass' exposure to these
vulnerabilities.
AFFECTED VERSIONS
- -- ClearPass 5.X, 6.0.X, 6.1.X, 6.2.X, 6.3.X
DETAILS
An attacker with access to ClearPass Policy Manager's web interface can inject SQL commands
using a carefully crafted request. In addition, such an attacker can force the disclosure of
credentials used to access the ClearPass Policy Manager database(s). The attacker must
have valid credentials to access ClearPass Policy Manager, although an administrator-level
login is not necessary.
DISCOVERY
These vulnerabilities were discovered by Nate Roberts from Wipfli LLP in June, 2014.
Aruba Networks would like to thank Nate for his assistance.
IMPACT
The attacker can discover credentials used to access ClearPass Policy Manager, as well as
discover additional information about the system such as the version number of ClearPass'
database engine.
Aruba Networks participates in the Common Vulnerability Scoring System (CVSS).
This rating system is a vendor agnostic, industry open standard designed to
convey vulnerability severity and help determine urgency and priority of
response.
CVE-2014-4013: CVSS v2 Base Score: 4.9 (MEDIUM) (AV:A/AC:M/Au:S/C:P/I:P/A:P)
CVE-2014-4031: CVSS v2 Base Score: 5.5 (MEDIUM) (AV:A/AC:H/Au:S/C:P/I:P/A:C)
MITIGATION
Aruba Networks recommends that all customers use access control methods such
as network-level ACLs to restrict access to the ClearPass Policy Manager UI.
If using ClearPass 6.1.0 and above, Aruba recommends that customers use
Access Control options available within the ClearPass administration interface
to permit access to ClearPass Policy Manager from secure network locations only.
SOLUTION
Aruba Networks recommends that all customers running either of the below 6.1.X
or 6.2.X versions apply the corresponding Security Patch released July 2014,
as soon as practical.
- ClearPass 6.1.4.55458, 6.1.4.61696, or
- ClearPass 6.2.6.62196.
Customers running either of the below 6.3.X versions apply the 6.3.4
(Cumulative Patch 4 released July 2014), as soon as practical.
- ClearPass 6.3.0.60537, or 6.3.0.60730 or 6.3.0.61712, or
- ClearPass 6.3.1.62009, or
- ClearPass 6.3.2.63239, and
- ClearPass 6.3.3.63748
Customers running ClearPass versions prior to 6.1 are urged to upgrade to
ClearPass Policy Manager 6.1.4 as soon as practical.
+----------------------------------------------------
OBTAINING FIXED SOFTWARE
Aruba customers can obtain software updates on the support website:
http://support.arubanetworks.com
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
The full contact list is at:
http://www.arubanetworks.com/support-services/support-program/contact-support/
e-mail: support(at)arubanetworks.com
Please do not contact "sirt(at)arubanetworks.com" for software upgrades.
STATUS OF THIS NOTICE: Preliminary
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-07032014.txt
Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
REVISION HISTORY
Revision 1.0 / 07-03-2014 / Initial release
ARUBA SIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of
PGP encryption. Our public keys can be found at
http://www.arubanetworks.com/support-services/security-bulletins/
(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.