Aruba Clear pass RCE bypassed

A critical vulnerability has been patched in Aruba ClearPass Policy Manager that exposes host systems to remote exploitation.

The flaw is classed as an unauthenticated remote code execution (RCE) vulnerability in Aruba ClearPass Policy Manager, software that acts as a secure access gatekeeper for IoT, bring-your-own-device (BYOD), and guest devices on corporate networks.

Tracked as CVE-2020-7115 and issued a CVSS score of 8.1.

Certificate validation

Client certificates are uploaded to an endpoint, ClearPass, which relies on the OpenSSL library, will copy the contents to a temporary file in the /tmp/ directory, created using the Java createTempFile function.

This function gives the file a random name and fixed extension. The software will then attempt to validate client certificates “by determining whether a password parameter in the request is able to decrypt the certificate”, the researcher explains.

This is performed by passing the temporary file name and password as arguments to a shell script. The “password” argument, however, is not quoted properly.

In addition, while not knowing the randomly-generated file name could be a potential barrier to exploitation, by using the wildcard character “*,” the shell script will automatically substitute in a valid path during queries.

Therefore, if a file is placed on disk that can be interpreted as an OpenSSL engine file, attackers can control “-engine” arguments and execute arbitrary code, bypassing existing authentication processes on public-facing systems.

“Upon successful bypass, an attacker could then execute an exploit that would allow remote command execution in the underlying operating system,”.

The vulnerability has now been resolved with the release of Aruba ClearPass Policy Manager version 6.9.1.

The PoC is limited and will only work once as it relies on passing multiple clientCertFiles as arguments, an invalid mechanism to call OpenSSL.

“An attacker could easily use this bug to compromise any publicly exposed ClearPass instances that haven’t been patched,” Jensen commented. “Hopefully, the majority of public-facing instances are fixed.”

In addition to CVE-2020-7115, the networking vendor has also released patches for CVE-2020-7116 and CVE-2020-7117 vulnerabilities.

While the bugs can also be used to compromise underlying operating systems, attackers must be authenticated, greatly limiting the risks posed the vulnerabilities.

Patch Tuesday September 2020

As part of this month’s Patch Tuesday, Microsoft today released a fresh batch of security updates to fix a total of 129 newly discovered security vulnerabilities affecting various versions of its Windows operating systems and related software.

23 are listed as critical, 105 are important, and one is moderate in severity

None of the security vulnerabilities the tech giant patched in September are listed as being publicly known or under active attack at the time of release or at least not in knowledge of Microsoft.

A memory corruption vulnerability (CVE-2020-16875) in Microsoft Exchange software is worth highlighting all the critical flaws. The exploitation of this flaw could allow an attacker to run arbitrary code at the SYSTEM level by sending a specially crafted email to a vulnerable Exchange Server.

“A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory,” Microsoft explains. “An attacker could then install programs; view, change, or delete data; or create new accounts.”

Microsoft also patched two critical remote code execution flaws in Windows Codecs Library; both exist in the way that Microsoft Windows Codecs Library handles objects in memory, but while one (CVE-2020-1129) could be exploited to obtain information to compromise the user’s system further, the other (CVE-2020-1319) could be used to take control of the affected system.

Besides these, two remote code execution flaws affect the on-premises implementation of Microsoft Dynamics 365, but both require the attacker to be authenticated.

Microsoft also patched six critical remote code execution vulnerabilities in SharePoint and one in SharePoint Server. While exploiting the vulnerability in SharePoint Server requires authentication, other flaws in SharePoint do not.

Other critical flaws the tech giant patched this month reside in Windows, Windows Media Audio Decoder, Windows Text Service Module, Windows Camera Codec Pack, Visual Studio, Scripting Engine, Microsoft COM for Windows, Microsoft Browser, and Graphics Device Interface.

Most of these vulnerabilities allow information disclosure, the elevation of privilege, and cross-Site Scripting. Some also lead to remote code execution attacks. In contrast, others allow security feature bypass, spoofing, tampering, and denial of service attacks.

Windows users and system administrators are highly advised to apply the latest security patches as soon as possible to keep cybercriminals and hackers away from taking control of their computers.
For installing security updates, head on to Settings → Update & security → Windows Update → Check for updates or install the updates manually.