Aruba Security Update – 26 October 2023

Aruba has released a security update to address multiple vulnerabilities across ClearPass Policy Manager.

The addressed vulnerabilities could allow the attacker to gain elevated privilege, manipulate data, conduct phishing attacks, execute arbitrary commands, and gain access to the affected products.

Sample of the addressed vulnerabilities:

1. Aruba Networks ClearPass Policy Manager Privilege Escalation Vulnerability (CVE-2023-43506):

  • CVSS: 7.8
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Consequences: Gain Privilege

2. Aruba Networks ClearPass Policy Manager SQL injection (CVE-2023-43507):

  • CVSS: 7.2
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Consequences: Data Manipulation

Affected versions:

  • ClearPass Policy Manager 6.11.x: 6.11.4 and below.
  • ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below.
  • ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below.
Vulnerabilities
  • CVE-2023-43506
  • CVE-2023-43507
  • CVE-2023-43508
  • CVE-2023-43509
  • CVE-2023-43510
Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Aruba Security Advisory

References