Authentication process bypassed to access corporate networks

Critical Aruba ClearPass RCE vulnerability exposes underlying systems

A critical vulnerability has been patched in Aruba ClearPass Policy Manager that exposes host systems to remote exploitation.

The flaw is classed as an unauthenticated remote code execution (RCE) vulnerability in Aruba ClearPass Policy Manager, software that acts as a secure access gatekeeper for IoT, bring-your-own-device (BYOD), and guest devices on corporate networks.

Tracked as CVE-2020-7115 and issued a CVSS score of 8.1, the critical issue was discovered by security researcher Daniel “Dozer” Jensen.

Certificate validation

In a blog post dated September 18, the New Zealand-based security researcher said the bug relates to how ClearPass handles certificate validation.

If client certificates are uploaded to an endpoint, ClearPass, which relies on the OpenSSL library, will copy the contents to a temporary file in the /tmp/ directory, created using the Java createTempFile function.

This function gives the file a random name and fixed extension. The software will then attempt to validate client certificates “by determining whether a password parameter in the request is able to decrypt the certificate”, the researcher explains.

This is performed by passing the temporary file name and password as arguments to a shell script. The “password” argument, however, is not quoted properly.

In addition, while not knowing the randomly-generated file name could be a potential barrier to exploitation, by using the wildcard character “*,” the shell script will automatically substitute in a valid path during queries.

Therefore, if a file is placed on disk that can be interpreted as an OpenSSL engine file, attackers can control “-engine” arguments and execute arbitrary code, bypassing existing authentication processes on public-facing systems.

“Upon successful bypass, an attacker could then execute an exploit that would allow remote command execution in the underlying operating system,” Aruba’s security advisory notes.

Catch up on the latest network security news

The vulnerability has now been resolved with the release of Aruba ClearPass Policy Manager version 6.9.1.

Jensen has provided proof-of-concept (PoC) code. The PoC is limited and will only work once as it relies on passing multiple clientCertFiles as arguments, an invalid mechanism to call OpenSSL.

However, there are ways to work around this issue, the researcher told The Daily Swig – a process that involves no more than switching around a few characters.

“An attacker could easily use this bug to compromise any publicly exposed ClearPass instances that haven’t been patched,” Jensen commented. “Hopefully, the majority of public-facing instances are fixed.”

In addition to CVE-2020-7115, the networking vendor has also released patches for CVE-2020-7116 and CVE-2020-7117 vulnerabilities.

The security flaws, also reported by Jensen, are described as RCE flaws in the Aruba ClearPass Policy Manager WebUI interface.

While the bugs can also be used to compromise underlying operating systems, attackers must be authenticated, greatly limiting the risks posed the vulnerabilities.

RELATED Databases, cloud storage, and more at risk from exposed access keys