CVE-2020-12148

Name of the Vulnerable Software and Affected Versions Silver Peak Unity ECOSTM (ECOS) versions prior to 8.1.9.15 Silver Peak Unity ECOSTM (ECOS) versions prior to 8.3.0.8 Silver Peak Unity ECOSTM (ECOS) versions prior to 8.3.1.2 Silver Peak Unity ECOSTM (ECOS) versions prior to 8.3.2.0 Silver Peak Unity ECOSTM (ECOS) versions prior to 9.0.2.0 Silver Peak Unity ECOSTM (ECOS) versions prior to 9.1.0.0

Description A command injection flaw in the nslookup API of Silver Peak Unity ECOSTM (ECOS) appliance software could allow an attacker to execute arbitrary commands with the privileges of the web server running on the EdgeConnect appliance. This could enable an attacker to establish an interactive channel and take control of the target system. The vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI.

Recommendations For versions prior to 8.1.9.15, update to version 8.1.9.15 or later. For versions prior to 8.3.0.8, update to version 8.3.0.8 or later. For versions prior to 8.3.1.2, update to version 8.3.1.2 or later. For versions prior to 8.3.2.0, update to version 8.3.2.0 or later. For versions prior to 9.0.2.0, update to version 9.0.2.0 or later. For versions prior to 9.1.0.0, update to version 9.1.0.0 or later. As a temporary workaround, consider restricting access to the nslookup API until a patch is available.