Aruba Networks releases patch to fix ClearPass software vulnerabilities

Aruba Networks Releases Patches for Eight Vulnerabilities in ClearPass Policy Manager Software.

Aruba Networks, a leading provider of network access enforcement solutions, has recently disclosed a set of patches to address eight vulnerabilities in its ClearPass Policy Manager software. The software is used to enforce unified network access across wireless, wired, and VPN networks.

The most severe vulnerability, CVE-2023-25589, was discovered by New Zealander pentester Daniel Jensen. The bug affects the ClearPass policy manager’s web-based management interface and has a CVSS score of 9.8. Aruba Networks warns that unauthenticated attackers could potentially gain “total cluster compromise” by creating arbitrary users on the platform.

Aruba Networks also identified four other high-severity bugs that were fixed in this patch release. One of these vulnerabilities, CVE-2023-25590, affects the OnGuard Linux agent and has a CVSS score of 7.8. A successful attacker on a Linux instance could execute arbitrary code with root privilege on the Linux instance. Luke Young reported this vulnerability through the company’s Bugcrowd bounty program.

Under CVE-2023-25591, an attacker who can authenticate with low privileges can take advantage of a bug in the policy manager’s web-based interface, potentially retrieving information to gain further privileges. This bug was also attributed to Luke Young.

Two reflected cross-site scripting bugs, CVE-2023-25592 and CVE-2023-25593, allow an attacker to execute arbitrary script code in a victim’s browser. The remaining three vulnerabilities are rated as medium severity.

The affected software versions are ClearPass Policy Manager 6.11.1 and below, 6.10.8 and below, and 6.913 and below. However, fixed versions are now available to address these vulnerabilities.

Aruba Networks advises all customers to apply the patches as soon as possible to avoid potential security risks.