Clearpass Policy Manager accepted expired SAML tickets
WithSecure identified an authentication vulnerability that arises when SAML is setup as the authentication mechanism for Clearpass Policy Manager portal. It was possible to reuse expired SAML tickets and get a new valid session token with the privileges of the user that originally requested the SAML ticket. The issue was found in ClearPass Policy Manager 6.10.2, but older versions could also be vulnerable.
An attacker who gains access to a expired SAML ticket may reuse the ticket to gain access to Policy Manager administration portal.
The application did not verify the NotOnOrAfter attribute in the SAML token Conditions element.