Aruba Networks, the subsidiary of Hewlett Packard Enterprise, has released a Security Advisory on recently discovered multiple vulnerabilities in their product leveraged by enterprise clients worldwide. In this article, we will cover the details of the most severe of the reported Remote Command Execution vulnerability in Aruba ClearPass (CVE-2020-7115) with CVSS 8.1, and content to detect the authentication bypass in ClearPass Policy Manager web interface.
Critical Authentication Bypass
The severe CVE-2020-7115 vulnerability was reported by dozer.nz. According to the research, the suspicious outcomes while looking through a potential attack on ClearPass made it possible to identify the endpoint returning a 200 response with a message informing of no file uploaded. This fact prompted to dig further into the ClearPass, and the researchers found out that attackers could execute arbitrary code by injecting arguments to OpenSSL and abusing the client certificate verification script. Moreover, usage of a wildcard character made the bypass possible even without knowing the uploaded files names.
CVE-2020-7115 Mitigation and Detection
The critical CVE-2020-7115 vulnerability in ClearPass WebUI was reported by researchers to Aruba, and security procedures to mitigate the RCE vulnerability and several others are described in the Aruba Product Security Advisory.
To detect Aruba ClearPass RCE, Emir Erdogan, one of the most active participants in Threat Bounty Program, developed a community Sigma rule https://tdm.socprime.com/tdm/info/E6jmiXJqT1ql/bX59oHQBQAH5UgbBteRm/
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Initial Access
Techniques: Exploit Public-Facing Application (T1190)