Clearpass Policy Manager accepted expired SAML tickets

CVE-2022-23669

    Type

  • Improper Authentication
  • Severity

  • Medium
  • Affected products

  • Aruba Clearpass Policy Manager
  • Remediation

  • According to the vendor, the following base versions can be patched with the corresponding patch. - ClearPass Policy Manager 6.10.x: 6.10.5 and above - ClearPass Policy Manager 6.9.x: 6.9.10 and above - ClearPass Policy Manager 6.8.x: 6.8.9-HF3 and above
  • Credits

  • Vulnerabilities discovered by Tomas Rzepka of WithSecure.
  • CVE Reference

  • CVE-2022-23669
Timeline
2021-11-03Notified Aruba Networks about the identified vulnerability
2021-12-01Vendor acknowledged issue
2022-03-02Vendor release fixed version
2022-05-04Vendor publish advisory https://www.arubanetworks. com/assets/alert/ARUBA-PSA-2022-007.txt
2022-05-23WithSecure publishes advisoryt

Description

WithSecure identified an authentication vulnerability that arises when SAML is setup as the authentication mechanism for Clearpass Policy Manager portal. It was possible to reuse expired SAML tickets and get a new valid session token with the privileges of the user that originally requested the SAML ticket. The issue was found in ClearPass Policy Manager 6.10.2, but older versions could also be vulnerable.

Impact

An attacker who gains access to a expired SAML ticket may reuse the ticket to gain access to Policy Manager administration portal.

Cause

The application did not verify the NotOnOrAfter attribute in the SAML token Conditions element.