NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Maintenance Update of Aruba ClearPass Policy Manager, Version 6.7.3

Date of Maintenance Completion:  2018.07.12

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0
  Extended Package for Authentication Servers Version 1.0

Original Evaluated TOE:  2018.01.17 - Aruba Networks ClearPass Policy Manager

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

Aruba has upgraded the TOE from the evaluated ClearPass 6.6.8 to 6.7.3. In addition, Aruba has rebranded hardware models in the evaluation. The rebranding information appears in the following table:

Old Name

New Name

CP-HW-500 (JW770A)

C1000

CP-HW-5K (JX921A)

C2000

CP-HW-25K (JX920A)

C3000

Non-security Functional Changes

Aruba made several non-security functional changes to the TOE, a summary of which follows in the table below:

New Feature Description

Assessment

Many new Plugins supported

The plugin functionality is outside the scope of the NDcPP evaluation.

Policy Manager upgrades:

1.      Cluster login enabled

2.      VIA client support enhanced

3.      New ciphers for LDAP support

4.      Support for TACACS+ administrator login added

5.      Syslog messages can be batched up from 30 seconds to 120 seconds

6.      IPv6 support added

7.      Multiple RADIUS certificates now supported

8.      DNS Caching supported

9.      Added default trusted root certificates

10.  Changed default profile names

11.  Post-Auth v2 function added

 

1.      Cluster functionality outside the scope of the NDcPP evaluation.

2.      VIA clients outside the scope of the NDcPP evaluation.

3.      LDAP communication is is outside the scope of the NDcPP evaluation.

4.      The evaluated configuration requires local login. This added functionality is outside the scope of the NDcPP evaluation.

5.      The syslog channel is still protected so this just adds more flexibility for administrators.

6.      IPv6 functionality was not present in the original evaluation, and is not being added to the evaluation scope in the Assurance Maintenance action. Only IPv4 is covered by the evaluation.

7.      The change allows more than one certificate to be used for RADIUS that policy can be defined to say “These clients use certificate A and all others use default certificate”.  The certificate checking code remains unchanged.

8.      DNS caching is outside the scope of the NDcPP evaluation

9.      The specification of specific trusted roots is outside the scope of the NDcPP evaluation.

10.  The default profile names do not affect security. 

11.  A function was added to improve performance and scaling for post-authentication events when inter-operating with third-party systems. These improvements are outside the scope of the NDcPP.

Licensing changes

The licensing approach is outside the scope of the NDcPP evaluation

Virtual Servers are renamed

Virtual Servers were not in the evaluated configuration.

Social Login names are renamed to Cloud logins.

Social Logins are outside the scope of the NDcPP evaluation.

MariaDB replaces MySQL. A separate

patch is no longer required in order to create and use MySQL or MariaDB authentication sources

The database is outside of the TOE and is accessed by a standard DB interface, which has remained unchanged.

Commonly used password deprecated.

The TOE no longer supports use of a commonly configured password for the product. In the CC configuration, the administrator is instructed to select a strong password.

New APIs are added for sorting.

The sorting functionality is outside the scope of the NDcPP evaluation.

CLI command –a new command has been added to reset the device from the command line.

This is an ease-of-use feature but does not affect the security requirements within the NDcPP.  Administrators must authenticate before accessing the CLI.

Enhancements for Endpoint Context Servers

Endpoint Context Servers are outside the scope of the NDcPP evaluation.

Enhancements for Clearpass Guest Access.

In the CC configuration, the administrator is instructed to always login.

 

Enhancements for Insight Reporting

Insight reporting was not included in the scope of the NDcPP evaluation.

Enhancements for Profiler and Network Discovery

The Profiler and Network Discovery are outside the scope of the NDcPP evaluation.

Enhancements for Onboard Server

The Onboard Server is outside the scope of the NDcPP evaluation.

 

The validation team has examined these changes and have determined that they are either outside the scope of the evaluation, or do not materially affect the security assurance of the evaluated configuration.

Product Bug Fixes

Aruba fixed several bugs associated with the ClearPass Policy Manager. The following table contains a summary of the functional and security-related bug fixes applied to the TOE. 

Bug Description

Assessment

Certificate Revocation List (CRL) updates could not be downloaded from the federal CRL server.

This was an implementation issue.  The CRL checks behaved properly but communication with the Federal Server needed patching.

EAP-TLS authentications failed in FIPS mode and displayed the error message “fatal alert by server -

decrypt_error.” ClearPass in FIPS mode now accepts client certificates that use the RSASSA-PSS

signature algorithm.

This signature type is not allowed in CC mode.

When CC mode was enabled, an administrator could not log in to the ClearPass Administration UI,

but was able to log in as appadmin through the CLI.

Added a specific reset CLI command. The evaluation showed this feature worked originally, but this command has been added for ease of use.

Corrected a cluster time synchronization issue where the time in ClearPass was several minutes

behind the Network Time Protocol (NTP) clock because a subscriber was referring directly to the NTP server. ClearPass subscribers now synchronize only with the publisher. The publisher is the only

ClearPass server to contact the NTP server, and acts as the NTP server for all the subscribers

NTP outside the scope of the evaluation.

The OpenSSH version is now updated to 7.4. This includes fixes for CVE-2015-5600, CVE-2016-6563,

CVE-2016-6564, CVE-2016-8858, CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, and

CVE-2016-10012.

Aruba following NIAP’s update policy and addressed vulnerabilities.

Corrected an issue where updating from 6.7.0 to 6.7.1 while FIPS mode was enabled caused the

configured user interface password to be reset to the default password (eTIPS123).

Removed a potential vulnerability. This has been fixed and will not exist in the approved version.

This release includes fixes for a potential vulnerability described in CVE-2018-0489

Aruba following NIAP’s update policy and addressed vulnerabilities.

The Apache Hypertext Transfer Protocol Server (HTTPd) version is now updated to 2.4.29. This

includes fixes for CVE-2017-3167

Aruba following NIAP’s update policy and addressed vulnerabilities

The StrongSwan version is now updated 5.6.0. This includes fixes for CVE-2017-1185, CVE-2018-0489, CVE-2018-7063

Aruba following NIAP’s update policy and addressed vulnerabilities

ClearPass could not be rolled back to the last known good signature if it failed to load a new

signature update. Posture signature updates are now automatically reverted to the previous

signature if there is a problem that prevents the signature from loading correctly

This is a denial of service issue that has been addressed. It is also only applicable to OnGuard users which is outside the scope of the NDcPP evaluation.

The Apache Tomcat version is now upgraded to 7.0.85. This includes fixes for the vulnerabilities

described in CVE-2018-1304 and CVE-2018-1305

Aruba following NIAP’s update policy and addressed vulnerabilities.

Vulnerability Assessment

Gossamer Laboratories conducted a vulnerability assessment of the TOE, including conducting searches of several public vulnerability databases. Among the sources conducted were:

·         National Vulnerability Database (https://web.nvd.nist.gov/vuln/search)

·         Vulnerability Notes Database (http://www.kb.cert.org/vuls/)

·         Rapid7 Vulnerability Database (https://www.rapid7.com/db/vulnerabilities)

·         Tipping Point Zero Day Initiative  (http://www.zerodayinitiative.com/advisories )

·         Exploit / Vulnerability Search Engine (http://www.exploitsearch.net)

·         SecurITeam Exploit Search (http://www.securiteam.com)

·         Tenable Network Security (http://nessus.org/plugins/index.php?view=search)

·         Offensive Security Exploit Database (https://www.exploit-db.com/)

The searches were conducted on June 14, 2018, and included the following search terms: "Aruba", "ClearPass", "ClearPass Policy Manager", "ClearPass 6.7", "IKEv1", "IKEv2", "ESP", "TLS", "SSHv2", "HPE Aruba".

Vendor Information

Logo
Aruba, a Hewlett Packard Enterprise Company
Steve Weingart
210-516-5736
N/A
sweingart@arubanetworks.com

www.arubanetworks.com
Site Map              Contact Us              Home