The version of Aruba ClearPass Policy Manager installed on the remote host is prior or equal to 6.7, 6.8.9-HF2, 6.9.9, 6.10.4. It is, therefore, affected by multiple vulnerabilities as referenced in the ARUBA-PSA-2022-007 advisory.

– An information disclosure vulnerability exists in the web-based management interface of ClearPass Policy Manager.
An authenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2022-23670)

– A denial of service (DoS) vulnerability exists in the Python Eventlet library used by ClearPass Policy Manager. An unauthenticated, remote attacker can exploit this issue, via WebSocket peer to exhaust memory reserved by Eventlet inside of ClearPass Policy Manager, to cause the process to stop responding. (CVE-2021-21419)

– A denial of service (DoS) vulnerability exists in Python Urllib library used by ClearPass Policy Manager. An authenticated, remote attacker can exploit this issue, via the web-based management, to cause the application to stop responding. (CVE-2021-33503)

– An authentication bypass vulnerability exists in web-based management interface of ClearPass Policy Manager. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary actions with root privileges. (CVE-2022-23657, CVE-2022-23658, CVE-2022-23660)

– A reflected cross-site scripting (XSS) vulnerability exists in the web-based management interface of ClearPass Policy Manager due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user’s browser session. (CVE-2022-23659)

– A command injection vulnerability exists in the ClearPass Policy Manager command line interface. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23661, CVE-2022-23662)

– A command injection vulnerability exists in the ClearPass Policy Manager web-based management interface. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23663, CVE-2022-23664, CVE-2022-23666, CVE-2022-23672, CVE-2022-23673)

– A command injection vulnerability exists in Aruba ClearPass Policy Manager. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23665)

– A command injection vulnerability exists in the ClearPass Policy Manager command line interface. An authenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2022-23667)

– A Server Side Request Forgery (SSRF) vulnerability exists in the web-based management interface of ClearPass Policy Manager due to improper validation of session & user-accessible input data. The insecure processing of the input by the vulnerable application server allows an unauthenticated, remote attacker the ability to exploit this by sending a specially crafted message to the server to create a trusted remote session with a malicious external target.
(CVE-2022-23668)

– An authentication bypass vulnerability exists in ClearPass Policy Manager due to the handling of SAML token expiration.
An authenticated, remote attacker can exploit this, via possession of a valid token to reuse the token after session expiration, to bypass authentication and execute arbitrary actions with user privileges. (CVE-2022-23669)

– An information disclosure vulnerability exists in ClearPass Policy Manager cluster network position. An authenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2022-23671)

– A authenticated stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of ClearPass Policy Manager due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user’s browser session. (CVE-2022-23674, CVE-2022-23675)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.Read More