The HPE Aruba brand Clearpass Policy Manager security software has several security vulnerabilities. This could allow attackers to inject and execute malicious code. Updated software is available to close the gaps.
Advertisement
Aruba Clearpass Policy Manager is designed to ensure the security of networks in the spirit of Zero Trust, for example by configuring the least possible rights for employees and guests connecting to the corporate network. A security notice from Aruba now warns of several, some critical, security vulnerabilities in the software.
Clearpass Policy Manager: Gaps also caused by third-party components
A vulnerability affects the included Apache Struts server and allows commands to be injected (CVE-2023-50164, CVSS 9.8Risk “critical“). Five security holes affect the web-based management interface and allow logged-in attackers from the network to send arbitrary commands to the host system's operating system root
-users and thus completely compromise the system (CVE-2024-26294, CVE-2024-26295, CVE-2024-26296, CVE-2024-26297, CVE-2024-26298; all CVSS 7.2, hoch).
There are also cross-site scripting vulnerabilities in the guest and admin web interfaces (CVE-2024-26299, CVE-2024-26300, CVSS 6.6, medium) and gaps that allow information to leak (CVE-2024-26301, CVSS 6.5, medium; CVE-2024-26302, CVSS 4.8, medium).
The vulnerabilities affect ClearPass Policy Manager 6.12.0, 6.11.6, 6.10.8 Hotfix Q4 2023 and 6.9.13 Hotfix Q4 2023 and older releases. Systems that have already reached the end of life are also affected. The update to ClearPass Policy Manager 6.12.1, 6.11.7, 6.10.8 Hotfix Patch 8 Q1 2024 and 6.9.13 Hotfix Patch 7 Q1 2024 or newer versions seals the security leaks. HPE Aruba also recommends limiting the web-based management interface to access from a dedicated Layer 2 network segment/VLAN or with firewall policies for Layer 3 and above to prevent attackers from easily exploiting vulnerabilities.
Most recently, Aruba access points were vulnerable. The manufacturer released security updates in mid-November to secure the devices.
(dmk)