Security

 View Only
  • 1.  regarding advisory HPESBNW04662

    Posted Jul 12, 2024 12:26 PM

    Hi all

    Regarding this Radius advisory..

    We have Clearpass 6.10.8 and also Mobility conductor running 8.10.0.11

    What I read from the resolution is that MC should be updated to 8.10.0.14 ( available later Set24)

    how about clearpass ? is mandantory to go to 6.11 version? Since they says versions 6.11.8 or below ;  ask you guys this because going to 6.11 implicates a fresh install no?

    regards



  • 2.  RE: regarding advisory HPESBNW04662

    Posted Jul 12, 2024 12:51 PM

    Hi

    Yes, you have to upgrade to ClearPass 6.11 or 6.12. All other older versions are end of support. 6.9 and 6.10 since May.

    The documentation regarding the upgrade process describes the process, there are also several good discussion threads here in Airheads on the topic.

    But in short you need to perform a backup on the old server(s), upgrade hardware servers or deploy new VM servers, do restore of the backup. Licenses, certificates and some server settings must be restored manually.

    Any extensions must be installed before the restore, and also include to restore extension.

    A convenient way with VM servers is to deploy new 6.11 servers with new IPs, and have both 6.10 and 6.11 running in parallel. That's ok also from licens point of view. 



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: regarding advisory HPESBNW04662

    Posted Jul 15, 2024 05:00 AM
    Edited by Herman Robers Jul 15, 2024 05:03 AM

    Did you see the workaround section?

    Network Operators who rely on the RADIUS protocol for device and/or     
    user authentication should update their software and configuration      
    to a secure form of the protocol for both clients and servers.          
    Where available, using EAP-TLS (assuming Message-Authenticator is       
    properly configured on the RADIUS server) or RadSec will mitigate the   
    vulnerability. This work around applies to all products.                
     
    In instances where product upgrades are not available,  
    network isolation and secure VPN tunnel communications should  
    be enforced for the RADIUS protocol to restrict access to these  
    network resources from untrusted sources. 
    

    It may be a good moment to move to EAP-TLS, RadSec, and other more secure protocols than RADIUS and get around the issue altogether.

    This attack requires a man-in-the-middle on RADIUS, so even running your RADIUS traffic over an isolated network (where end-users/attackers don't have access to), would remove the risk; and if attackers/end-users have access to the RADIUS traffic there are other risks like RADIUS being unencrypted with usernames, attributes, passwords (PAP), password challenges (MSCHAP/CHAP).

    Not downplaying the need to remediate this vulnerability, but getting rid of RADIUS (in addition) would probably be even better.

    If you have to run RADIUS, run it over a 'secured' network segment (not mixed with user traffic).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: regarding advisory HPESBNW04662

    Posted Jul 15, 2024 06:25 AM
    Hi Herman 

     yes I read , but assumed that we have the need to go to 6.11 on CPPM

    Regarding the workaround , where can I  find if I already using EAP-TLS on Radius?



    Bruno Costa

    IT Support Specialist

     

    CONNECTing Projectos e Consultoria Lda.

    Rua Diogo de Silves, 33C

    1400-107 Lisboa

    Tlm: +351 916 158 228

    Email: baraujo@connecting.pt

    internet: www.connecting.pt

     

    _____________________________________________________________________________________________________________________________

    THIS MESSAGE MAY CONTAIN INFORMATION THAT IS PRIVILEGED AND CONFIDENTIAL.

    The information contained in, or attached to, this message is intended solely for the use of the specific person(s) named above.

    If you are not the intended recipient then you have received this communication in error and are prohibited from review, retransmission, taking any action in reliance upon, sharing the content of, disseminating or copying this message and any of the attachments in any way.

    If you have received this communication in error, please contact the sender immediately and promptly delete this message from all types of media and devices. Thank you





  • 5.  RE: regarding advisory HPESBNW04662

    Posted Jul 15, 2024 08:32 AM

    EAP-TLS is the authentication method between the Client and ClearPass; and you can see that in Access Tracker under the Authentication Method:

    If you configured RadSec, or RADIUS, can also be seen in Access Tracker, but under the 'Source':

    The vulnerability is in the RADIUS protocol, and requires a man-in-the-middle on that RADIUS traffic to be exploited, and the latest patches for ClearPass 6.11 and 6.12 have a fix. If there is no possibility for an attacker to perform an man-in-the-middle on the RADIUS traffic, because it's not accessible because it's running over a protected network segment or encrypted in a VPN or RadSec, there is no possibility to exploit. Having updated software, where vulnerabilities are fixed is recommended anyway, just for the reason that a potential vulnerability may pop up during security scans when performed.

    There will be no fixed for ClearPass 6.10 as that version is end-of-support, and upgrading to 6.11 or 6.12 should be considered for other reasons as well to stay on supported and maintained software versions.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: regarding advisory HPESBNW04662

    Posted Jul 15, 2024 09:45 AM

    Hi Herman

    I see it and its not EAP-TLS and source is Radius

    But yes, we should schedule the upgrade for 6.11 or 6.12 new