CVE-2024-51772
📋 TL;DR
An authenticated remote code execution vulnerability in ClearPass Policy Manager's web interface allows authenticated attackers to execute arbitrary commands on the underlying host. This affects organizations using ClearPass Policy Manager for network access control. Attackers with valid credentials can potentially compromise the entire system.
💻 Affected Systems
- Aruba ClearPass Policy Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to install persistent backdoors, steal sensitive data, pivot to other network systems, and disrupt network access control services.
Likely Case
Attacker gains shell access to the ClearPass server, potentially compromising network authentication data, modifying policies, and using the system as a foothold for lateral movement.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and minimal privileges for authenticated users.
🎯 Exploit Status
Exploitation requires valid credentials but is straightforward once authenticated. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.12.7, 6.13.4, or 6.14.0
Vendor Advisory: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04761en_us&docLocale=en_US
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate patch version from HPE support portal. 3. Apply patch via ClearPass web interface or CLI. 4. Restart ClearPass services. 5. Verify patch installation and functionality.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to ClearPass web management interface to trusted IP addresses only
Configure firewall rules to restrict access to ClearPass web ports (typically 443)
Enforce Strong Authentication
allImplement multi-factor authentication and strong password policies for all ClearPass administrative accounts
Enable MFA in ClearPass Policy Manager settings
🧯 If You Can't Patch
- Implement network segmentation to isolate ClearPass systems from critical infrastructure
- Enable detailed logging and monitoring for suspicious authentication attempts and command execution
🔍 How to Verify
Check if Vulnerable:
Check ClearPass version via web interface (Admin > Support > About) or CLI command 'appliance version'Check Version:
appliance versionVerify Fix Applied:
Verify version is 6.12.7, 6.13.4, or 6.14.0 or later. Test web interface functionality after patch.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Unexpected command execution in system logs
- Multiple failed login attempts followed by successful login
Network Indicators:
- Unusual outbound connections from ClearPass server
- Traffic to unexpected ports from ClearPass management interface
SIEM Query:
source="clearpass" AND (event_type="authentication" AND result="success" AND user="admin*") OR (process_execution AND parent_process="web_server")