CVE-2018-7066

Name of the Vulnerable Software and Affected Versions Aruba ClearPass Policy Manager versions prior to 6.7.5 Aruba ClearPass Policy Manager versions prior to 6.6.10-hotfix

Description An unauthenticated remote command execution issue exists in the ClearPass OnConnect feature, which allows administrators to link other network devices into ClearPass. A defect in the API could allow a remote attacker to execute arbitrary commands on one of the linked devices. This issue is only applicable if credentials for devices have been supplied to ClearPass under Configuration -> Network -> Devices -> CLI Settings.

Recommendations For versions prior to 6.7.5, update to version 6.7.5 to resolve the issue. For versions prior to 6.6.10-hotfix, apply the 6.6.10-hotfix to resolve the issue. As a temporary workaround, consider restricting access to the linked devices or removing device credentials from ClearPass to minimize the risk of exploitation.