Full Report
HPE security advisory (AV26-139)
Analysis Summary
# Vulnerability: Local Privilege Escalation in HPE Aruba Networking ClearPass Policy Manager OnGuard (Linux)
## CVE Details
- **CVE ID:** CVE-2025-24328
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:** HPE Aruba Networking ClearPass Policy Manager (CPPM) OnGuard Agent for Linux.
- **Versions:**
- 6.12.x: Version 6.12.7 and prior
- 6.11.x: Version 6.11.13 and prior
- **Configurations:** Systems running the Linux-based OnGuard agent software within a ClearPass environment.
## Vulnerability Description
A local privilege escalation vulnerability exists in the HPE Aruba Networking ClearPass Policy Manager OnGuard software for Linux. The flaw resides in how the application manages permissions or processes certain local requests, allowing a local authenticated user with low privileges to execute commands or manipulate files with elevated (root) privileges.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; No public PoC available at this time.
- **Complexity:** Low
- **Attack Vector:** Local (Requires authenticated access to the target Linux system).
## Impact
- **Confidentiality:** High (Full access to system files and data).
- **Integrity:** High (Ability to modify system configurations and binaries).
- **Availability:** High (Ability to disable services or crash the OS).
## Remediation
### Patches
HPE recommends updating the OnGuard Agent for Linux to the following versions or later:
- **ClearPass 6.12.x:** Update to version 6.12.8
- **ClearPass 6.11.x:** Update to version 6.11.14
### Workarounds
No specific functional workaround is provided by the vendor. The primary mitigation is to restrict local access to trust-verified users and apply the security updates immediately.
## Detection
- **Indicators of Compromise:** Monitor for unusual activity from the OnGuard process (`clearpass-onguard`) or unexpected `sudo`/root executions initiated by standard user accounts.
- **Detection methods and tools:** Audit Linux system logs (`/var/log/auth.log` or `/var/log/secure`) for privilege escalation attempts.
## References
- **Vendor Advisory:** hxxps[://]support[.]hpe[.]com/hpesc/public/docDisplay?docId=hpesbnw05012en_us
- **HPE Security Bulletin Library:** hxxps[://]support[.]hpe[.]com/connect/s/securitybulletinlibrary?language=en_US
- **CCCS Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/hpe-security-advisory-av26-139