Clearpass Policy Manager accepted expired SAML tickets
-
Tomas Rzepka - Published: 23 May 2022
- Type: Improper Authentication
- Severity: Medium
Affected Products
Aruba Clearpass Policy Manager
CVE
CVE-2022-23669
Description
WithSecure identified an authentication vulnerability that arises when SAML is setup as the authentication mechanism for Clearpass Policy Manager portal. It was possible to reuse expired SAML tickets and get a new valid session token with the privileges of the user that originally requested the SAML ticket. The issue was found in ClearPass Policy Manager 6.10.2, but older versions could also be vulnerable.
Impact
An attacker who gains access to a expired SAML ticket may reuse the ticket to gain access to Policy Manager administration portal.
Cause
The application did not verify the NotOnOrAfter attribute in the SAML token Conditions element.
Remediation
According to the vendor, the following base versions can be patched with the corresponding patch.
- ClearPass Policy Manager 6.10.x: 6.10.5 and above
- ClearPass Policy Manager 6.9.x: 6.9.10 and above
- ClearPass Policy Manager 6.8.x: 6.8.9-HF3 and above
Timeline
| Date | Action |
|---|---|
| 3 Nov 2021 | Notified Aruba Networks about the identified vulnerability |
| 1 Dec 2021 | Vendor acknowledged issue |
| 2 Mar 2022 | Vendor release fixed version |
| 4 May 2022 | Vendor publish advisory https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-007.txt |
| 23 May 2022 | WithSecure publishes advisory |