CVE-2021-29145
📋 TL;DR
This CVE describes a critical Server-Side Request Forgery (SSRF) vulnerability in Aruba ClearPass Policy Manager that can lead to remote code execution. Attackers can exploit this to make the server send unauthorized requests to internal systems and potentially execute arbitrary code. Organizations running affected versions of Aruba ClearPass Policy Manager are at risk.
💻 Affected Systems
- Aruba ClearPass Policy Manager
📦 What is this software?
Clearpass by Arubanetworks
Clearpass by Arubanetworks
Clearpass by Arubanetworks
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, access sensitive data, pivot to internal networks, and potentially maintain persistent access.
Likely Case
Unauthorized access to internal systems, data exfiltration, and potential lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only allowing information disclosure about internal services.
🎯 Exploit Status
SSRF vulnerabilities often have low exploitation complexity and can be chained with other vulnerabilities for RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.9.5, 6.8.9, or 6.7.14-HF1
Vendor Advisory: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-009.txt
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Aruba support portal. 2. Backup current configuration. 3. Apply the patch following Aruba's upgrade documentation. 4. Restart the ClearPass Policy Manager service.
🔧 Temporary Workarounds
Network Segmentation
allRestrict outbound network access from ClearPass servers to only necessary internal services
Access Control Lists
allImplement strict firewall rules to limit ClearPass server network communications
🧯 If You Can't Patch
- Isolate ClearPass servers in a dedicated network segment with strict egress filtering
- Implement web application firewall rules to detect and block SSRF patterns
🔍 How to Verify
Check if Vulnerable:
Check ClearPass version via web interface or CLI. If version is below 6.9.5, 6.8.9, or 6.7.14-HF1, the system is vulnerable.Check Version:
From ClearPass CLI: show versionVerify Fix Applied:
Verify the version has been updated to 6.9.5, 6.8.9, or 6.7.14-HF1 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from ClearPass server
- Requests to internal IP ranges from ClearPass
- Unexpected process execution on ClearPass server
Network Indicators:
- ClearPass server making requests to unexpected internal services
- Outbound connections to unusual ports from ClearPass
SIEM Query:
source="clearpass" AND (http_request OR network_connection) AND (dst_ip=internal_range OR dst_port!=common_ports)