Aruba ClearPass Security Advisory

As you may be aware by now, HPE/Aruba sent out a product security advisory (HPESBHF03730) earlier this morning covering all ClearPass Policy Manager environments prior to version 6.6.5. We at Vandis understand there could be some questions with regards to the seriousness of this email but there are steps that can be put in place to mitigate this threat, even from a temporary but non-intrusive standpoint. The first method would be to update the software from your ClearPass publisher as described below:

Installing the Patch Online Using the Software Updates Portal:

  1. Open ClearPass Policy Manager and go to Administration > Agents and Software Updates > Software Updates.
  2. In the Firmware and Patch Updates area, find the "ClearPass Cumulative Patch 5 for 6.6.0, 6.6.1, 6.6.2, 6.6.3 and 6.6.4" and click the Download button in its row.
  3. Click Install.
  4. When the installation is complete and the status is shown as "Needs Restart", proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed in Administration > Agents and Software Updates > Software Updates page.
  5. While in the Firmware and Patch Updates area, find the "ClearPass 6.6.5 Hotfix Patch for CVE-2017-5647, CVE-2017-5824, and CVE-2017-5829" and click the Download button in its row.
  6. Click Install.
  7. When the installation is complete and the status is shown as "Needs Restart", proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change.

 If you are not able to install this patch with the online method there is another method as well.

 Installing the Patch Offline Using the Patch File from https://support.arubanetworks.com:

  1. Download the "6.6.0 Cumulative Patch 5 (6.6.5)" and "ClearPass 6.6.5 Hotfix Patch for CVE-2017-5647, CVE-2017-5824, and CVE-2017-5829" from the Support site.
  2. Open the ClearPass Policy Manager Admin UI and go to Administration > Agents and Software Updates > Software Updates.
  3. At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded "6.6.0 Cumulative Patch 5 (6.6.5)" file.
  4. Click Install.
  5. When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed in Administration > Agents and Software Updates > Software Updates page.
  6. At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded " ClearPass 6.6.5 Hotfix Patch for CVE-2017-5647, CVE-2017-5824, and CVE-2017-5829)" file.
  7. Click Install.
  8. When the installation is complete and the status is shown as "Needs Restart", proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change.

 If neither of these methods are feasible due to the required downtime, we would suggest at least setting up a temporary means which can be achieved by the steps below:

  • Temporary Mitigation:These attacks require network access to execute. As a general best practice, it is recommended that all administrative access be restricted to trusted user networks exclusively. This applies to the Policy Manager Admin Web Interface and SSH consoles. This is best accomplished through a comprehensive network security policy that restricts administrative access to ClearPass administration interfaces.
    • Restricting access to the Policy Manager Admin Web Interface can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> <Server-Name> >> Network >> Restrict Access and only allowing non-public or network management networks.

If you are unsure of your proper upgrade path to get to 6.6.5 in order to install this hotfix, how to setup the temporary mitigation, or and questions/concerns at all, please reach out to us so we can assist you in any way needed.