- 71/2023
- Critical
Aruba has released security updates addressing multiple vulnerabilities in ClearPass Policy Manager.
The addressed vulnerabilities could allow the attacker to perform various attacks such as elevate privileges, disclose information, perform cross-site scripting, or gain access and execute arbitrary code on the affected systems.
Sample of the addressed vulnerabilities:
1. Unauthenticated Arbitrary User Creation Leads to Complete System Compromise (CVE-2023-25589):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
2. Local Privilege Escalation in ClearPass OnGuard Linux Agent (CVE-2023- 25590):
• CVSS: 7.8
• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Privilege
Affected Products:
• ClearPass Policy Manager 6.11.x: 6.11.1 and below
• ClearPass Policy Manager 6.10.x: 6.10.8 and below
• ClearPass Policy Manager 6.9.x: 6.9.13 and below
Vulnerabilities
• CVE-2023-25589
• CVE-2023-25590
• CVE-2023-25593
• CVE-2023-25594
• CVE-2023-25591
• CVE-2023-25592
• CVE-2023-25595
• CVE-2023-25596
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.