Security

Hi all

Regarding this Radius advisory..

We have Clearpass 6.10.8 and also Mobility conductor running 8.10.0.11

What I read from the resolution is that MC should be updated to 8.10.0.14 ( available later Set24)

how about clearpass ? is mandantory to go to 6.11 version? Since they says versions 6.11.8 or below ;  ask you guys this because going to 6.11 implicates a fresh install no?

regards

Hi all

Regarding this Radius advisory..

We have Clearpass 6.10.8 and also Mobility conductor running 8.10.0.11

What I read from the resolution is that MC should be updated to 8.10.0.14 ( available later Set24)

how about clearpass ? is mandantory to go to 6.11 version? Since they says versions 6.11.8 or below ;  ask you guys this because going to 6.11 implicates a fresh install no?

regards

Did you see the workaround section?

Network Operators who rely on the RADIUS protocol for device and/or     
user authentication should update their software and configuration      
to a secure form of the protocol for both clients and servers.          
Where available, using EAP-TLS (assuming Message-Authenticator is       
properly configured on the RADIUS server) or RadSec will mitigate the   
vulnerability. This work around applies to all products.                
 
In instances where product upgrades are not available,  
network isolation and secure VPN tunnel communications should  
be enforced for the RADIUS protocol to restrict access to these  
network resources from untrusted sources. 

It may be a good moment to move to EAP-TLS, RadSec, and other more secure protocols than RADIUS and get around the issue altogether.

This attack requires a man-in-the-middle on RADIUS, so even running your RADIUS traffic over an isolated network (where end-users/attackers don't have access to), would remove the risk; and if attackers/end-users have access to the RADIUS traffic there are other risks like RADIUS being unencrypted with usernames, attributes, passwords (PAP), password challenges (MSCHAP/CHAP).

Not downplaying the need to remediate this vulnerability, but getting rid of RADIUS (in addition) would probably be even better.

If you have to run RADIUS, run it over a 'secured' network segment (not mixed with user traffic).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 12, 2024 12:26 PM
From: beconnect
Subject: regarding advisory HPESBNW04662

Hi all

Regarding this Radius advisory..

We have Clearpass 6.10.8 and also Mobility conductor running 8.10.0.11

What I read from the resolution is that MC should be updated to 8.10.0.14 ( available later Set24)

how about clearpass ? is mandantory to go to 6.11 version? Since they says versions 6.11.8 or below ;  ask you guys this because going to 6.11 implicates a fresh install no?

regards

Did you see the workaround section?

Network Operators who rely on the RADIUS protocol for device and/or     user authentication should update their software and configuration      to a secure form of the protocol for both clients and servers.          Where available, using EAP-TLS (assuming Message-Authenticator is       properly configured on the RADIUS server) or RadSec will mitigate the   vulnerability. This work around applies to all products.                 In instances where product upgrades are not available,  network isolation and secure VPN tunnel communications should  be enforced for the RADIUS protocol to restrict access to these  network resources from untrusted sources. 

It may be a good moment to move to EAP-TLS, RadSec, and other more secure protocols than RADIUS and get around the issue altogether.

This attack requires a man-in-the-middle on RADIUS, so even running your RADIUS traffic over an isolated network (where end-users/attackers don't have access to), would remove the risk; and if attackers/end-users have access to the RADIUS traffic there are other risks like RADIUS being unencrypted with usernames, attributes, passwords (PAP), password challenges (MSCHAP/CHAP).

Not downplaying the need to remediate this vulnerability, but getting rid of RADIUS (in addition) would probably be even better.

If you have to run RADIUS, run it over a 'secured' network segment (not mixed with user traffic).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 12, 2024 12:26 PM
From: beconnect
Subject: regarding advisory HPESBNW04662

Hi all

Regarding this Radius advisory..

We have Clearpass 6.10.8 and also Mobility conductor running 8.10.0.11

What I read from the resolution is that MC should be updated to 8.10.0.14 ( available later Set24)

how about clearpass ? is mandantory to go to 6.11 version? Since they says versions 6.11.8 or below ;  ask you guys this because going to 6.11 implicates a fresh install no?

regards

EAP-TLS is the authentication method between the Client and ClearPass; and you can see that in Access Tracker under the Authentication Method:

If you configured RadSec, or RADIUS, can also be seen in Access Tracker, but under the 'Source':

The vulnerability is in the RADIUS protocol, and requires a man-in-the-middle on that RADIUS traffic to be exploited, and the latest patches for ClearPass 6.11 and 6.12 have a fix. If there is no possibility for an attacker to perform an man-in-the-middle on the RADIUS traffic, because it's not accessible because it's running over a protected network segment or encrypted in a VPN or RadSec, there is no possibility to exploit. Having updated software, where vulnerabilities are fixed is recommended anyway, just for the reason that a potential vulnerability may pop up during security scans when performed.

There will be no fixed for ClearPass 6.10 as that version is end-of-support, and upgrading to 6.11 or 6.12 should be considered for other reasons as well to stay on supported and maintained software versions.

Did you see the workaround section?

Network Operators who rely on the RADIUS protocol for device and/or     user authentication should update their software and configuration      to a secure form of the protocol for both clients and servers.          Where available, using EAP-TLS (assuming Message-Authenticator is       properly configured on the RADIUS server) or RadSec will mitigate the   vulnerability. This work around applies to all products.                 In instances where product upgrades are not available,  network isolation and secure VPN tunnel communications should  be enforced for the RADIUS protocol to restrict access to these  network resources from untrusted sources. 

It may be a good moment to move to EAP-TLS, RadSec, and other more secure protocols than RADIUS and get around the issue altogether.

This attack requires a man-in-the-middle on RADIUS, so even running your RADIUS traffic over an isolated network (where end-users/attackers don't have access to), would remove the risk; and if attackers/end-users have access to the RADIUS traffic there are other risks like RADIUS being unencrypted with usernames, attributes, passwords (PAP), password challenges (MSCHAP/CHAP).

Not downplaying the need to remediate this vulnerability, but getting rid of RADIUS (in addition) would probably be even better.

If you have to run RADIUS, run it over a 'secured' network segment (not mixed with user traffic).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 12, 2024 12:26 PM
From: beconnect
Subject: regarding advisory HPESBNW04662

Hi all

Regarding this Radius advisory..

We have Clearpass 6.10.8 and also Mobility conductor running 8.10.0.11

What I read from the resolution is that MC should be updated to 8.10.0.14 ( available later Set24)

how about clearpass ? is mandantory to go to 6.11 version? Since they says versions 6.11.8 or below ;  ask you guys this because going to 6.11 implicates a fresh install no?

regards