Original Message:
Sent: Jul 15, 2024 08:31 AM
From: Herman Robers
Subject: regarding advisory HPESBNW04662
EAP-TLS is the authentication method between the Client and ClearPass; and you can see that in Access Tracker under the Authentication Method:
If you configured RadSec, or RADIUS, can also be seen in Access Tracker, but under the 'Source':
The vulnerability is in the RADIUS protocol, and requires a man-in-the-middle on that RADIUS traffic to be exploited, and the latest patches for ClearPass 6.11 and 6.12 have a fix. If there is no possibility for an attacker to perform an man-in-the-middle on the RADIUS traffic, because it's not accessible because it's running over a protected network segment or encrypted in a VPN or RadSec, there is no possibility to exploit. Having updated software, where vulnerabilities are fixed is recommended anyway, just for the reason that a potential vulnerability may pop up during security scans when performed.
There will be no fixed for ClearPass 6.10 as that version is end-of-support, and upgrading to 6.11 or 6.12 should be considered for other reasons as well to stay on supported and maintained software versions.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 15, 2024 06:24 AM
From: beconnect
Subject: regarding advisory HPESBNW04662
Hi Herman
yes I read , but assumed that we have the need to go to 6.11 on CPPM
Regarding the workaround , where can I find if I already using EAP-TLS on Radius?
Bruno Costa
IT Support Specialist
CONNECTing Projectos e Consultoria Lda.
Rua Diogo de Silves, 33C
1400-107 Lisboa
Tlm: +351 916 158 228
Email: baraujo@connecting.pt
internet: www.connecting.pt
_____________________________________________________________________________________________________________________________
THIS MESSAGE MAY CONTAIN INFORMATION THAT IS PRIVILEGED AND CONFIDENTIAL.
The information contained in, or attached to, this message is intended solely for the use of the specific person(s) named above.
If you are not the intended recipient then you have received this communication in error and are prohibited from review, retransmission, taking any action in reliance upon, sharing the content of, disseminating or copying this message and any of the attachments in any way.
If you have received this communication in error, please contact the sender immediately and promptly delete this message from all types of media and devices. Thank you
Original Message:
Sent: 7/15/2024 5:00:00 AM
From: Herman Robers
Subject: RE: regarding advisory HPESBNW04662
Did you see the workaround section?
Network Operators who rely on the RADIUS protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. Where available, using EAP-TLS (assuming Message-Authenticator is properly configured on the RADIUS server) or RadSec will mitigate the vulnerability. This work around applies to all products. In instances where product upgrades are not available, network isolation and secure VPN tunnel communications should be enforced for the RADIUS protocol to restrict access to these network resources from untrusted sources.
It may be a good moment to move to EAP-TLS, RadSec, and other more secure protocols than RADIUS and get around the issue altogether.
This attack requires a man-in-the-middle on RADIUS, so even running your RADIUS traffic over an isolated network (where end-users/attackers don't have access to), would remove the risk; and if attackers/end-users have access to the RADIUS traffic there are other risks like RADIUS being unencrypted with usernames, attributes, passwords (PAP), password challenges (MSCHAP/CHAP).
Not downplaying the need to remediate this vulnerability, but getting rid of RADIUS (in addition) would probably be even better.
If you have to run RADIUS, run it over a 'secured' network segment (not mixed with user traffic).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 12, 2024 12:26 PM
From: beconnect
Subject: regarding advisory HPESBNW04662
Hi all
Regarding this Radius advisory..
We have Clearpass 6.10.8 and also Mobility conductor running 8.10.0.11
What I read from the resolution is that MC should be updated to 8.10.0.14 ( available later Set24)
how about clearpass ? is mandantory to go to 6.11 version? Since they says versions 6.11.8 or below ; ask you guys this because going to 6.11 implicates a fresh install no?
regards