CVE-2020-12149

Name of the Vulnerable Software and Affected Versions Silver Peak Unity ECOSTM (ECOS) appliance software versions prior to 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0

Description The configuration backup/restore function in the software directly incorporates the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This issue can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI.

Recommendations For versions prior to 8.1.9.15, update to version 8.1.9.15 or later. For versions prior to 8.3.0.8, update to version 8.3.0.8 or later. For versions prior to 8.3.1.2, update to version 8.3.1.2 or later. For versions prior to 8.3.2.0, update to version 8.3.2.0 or later. For versions prior to 9.0.2.0, update to version 9.0.2.0 or later. For versions prior to 9.1.0.0, update to version 9.1.0.0 or later. As a temporary workaround, consider restricting access to the configuration backup/restore function to minimize the risk of exploitation.