Lucene search

[email protected]CVE-2020-12143

HistoryMay 05, 2020 - 8:15 p.m.

CVE-2020-12143

2020-05-0520:15:12

CWE-295

[email protected]

web.nvd.nist.gov

cve-2020-12143

certificate validation

tls connection

orchestrator

edgeconnect

nvd

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator.

Affected configurations

NVD

Node

silver-peakunity_edgeconnect_for_amazon_web_servicesMatch-

silver-peakunity_edgeconnect_for_azureMatch-

silver-peakunity_edgeconnect_for_google_cloud_platformMatch-

silver-peakunity_orchestratorRange<8.9.2

Node

arubanetworksvx-500Match-

AND

silver-peakvx-500_firmwareMatch-

Node

arubanetworksvx-1000Match-

AND

silver-peakvx-1000_firmwareMatch-

Node

arubanetworksvx-2000Match-

AND

silver-peakvx-2000_firmwareMatch-

Node

arubanetworksvx-3000Match-

AND

silver-peakvx-3000_firmwareMatch-

Node

silver-peakvx-5000_firmwareMatch-

AND

arubanetworksvx-5000Match-

Node

silver-peakvx-6000_firmwareMatch-

AND

arubanetworksvx-6000Match-

Node

silver-peakvx-7000_firmwareMatch-

AND

arubanetworksvx-7000Match-

Node

silver-peakvx-9000_firmwareMatch-

AND

arubanetworksvx-9000Match-

Node

silver-peakvx-8000_firmwareMatch-

AND

arubanetworksvx-8000Match-

Node

silver-peaknx-700_firmwareMatch-

AND

arubanetworksnx-700Match-

Node

silver-peaknx-1000_firmwareMatch-

AND

arubanetworksnx-1000Match-

Node

silver-peaknx-2000_firmwareMatch-

AND

arubanetworksnx-2000Match-

Node

silver-peaknx-3000_firmwareMatch-

AND

arubanetworksnx-3000Match-

Node

silver-peaknx-5000_firmwareMatch-

AND

arubanetworksnx-5000Match-

Node

silver-peaknx-6000_firmwareMatch-

AND

arubanetworksnx-6000Match-

Node

silver-peaknx-7000_firmwareMatch-

AND

arubanetworksnx-7000Match-

Node

silver-peaknx-8000_firmwareMatch-

AND

arubanetworksnx-8000Match-

Node

silver-peaknx-9000_firmwareMatch-

AND

arubanetworksnx-9000Match-

Node

silver-peaknx-10k_firmwareMatch-

AND

arubanetworksnx-10kMatch-

Node

silver-peaknx-11k_firmwareMatch-

AND

arubanetworksnx-11kMatch-

CPENameOperatorVersion
silver-peak:unity_edgeconnect_for_amazon_web_servicessilver-peak unity edgeconnect for amazon web serviceseq-
silver-peak:unity_edgeconnect_for_azuresilver-peak unity edgeconnect for azureeq-
silver-peak:unity_edgeconnect_for_google_cloud_platformsilver-peak unity edgeconnect for google cloud platformeq-
silver-peak:unity_orchestratorsilver-peak unity orchestratorlt8.9.2

CPE	Name	Operator	Version
silver-peak:unity_edgeconnect_for_amazon_web_services	silver-peak unity edgeconnect for amazon web services	eq	-
silver-peak:unity_edgeconnect_for_azure	silver-peak unity edgeconnect for azure	eq	-
silver-peak:unity_edgeconnect_for_google_cloud_platform	silver-peak unity edgeconnect for google cloud platform	eq	-
silver-peak:unity_orchestrator	silver-peak unity orchestrator	lt	8.9.2

CNA Affected

[
  {
    "product": "1. Unity EdgeConnect, NX, VX 2. Unity Orchestrator,   3. EdgeConnect in AWS, Azure, GCP  ",
    "vendor": "Silver Peak Systems, Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "All versions affected prior to Silver Peak Unity ECOS™ 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+ "
      }
    ]
  }
]

References

www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_orchestrator-cve_2020_12143.pdf

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for CVE-2020-12143

prion1 cvelist1 nvd1