CVE-2020-12144: The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated
First published: Tue May 05 2020(Updated: )
The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated. This makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted portal.
Credit: sirt@silver-peak.com sirt@silver-peak.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Silver Peak Unity EdgeConnect | ||
| Silver Peak Unity EdgeConnect | ||
| Silver Peak Unity EdgeConnect | ||
| Silver Peak Unity Orchestrator | <8.9.2 | |
| Silver Peak VX-500 | ||
| Silver Peak VX-500 | ||
| Silver Peak VX-1000 | ||
| Silver Peak VX-1000 | ||
| Silver Peak VX-2000 | ||
| Silver Peak VX-2000 | ||
| Silver Peak VX-3000 | ||
| Silver Peak VX-3000 | ||
| Silver Peak VX-5000 | ||
| Silver Peak VX-5000 | ||
| Silver Peak VX-6000 | ||
| Silver Peak VX-6000 | ||
| Silver Peak VX-7000 | ||
| Silver Peak VX-7000 | ||
| Silver Peak VX-9000 Firmware | ||
| Silver Peak VX-9000 | ||
| Silver Peak VX-8000 | ||
| Silver Peak VX-8000 | ||
| silver-peak nx-700 firmware | ||
| Silver Peak NX-700 | ||
| Silver Peak NX-1000 Firmware | ||
| Silver Peak NX-1000 Firmware | ||
| Silver Peak NX-2000 Firmware | ||
| Silver Peak NX-2000 Firmware | ||
| Silver Peak NX-3000 Firmware | ||
| Silver Peak NX-3000 Firmware | ||
| Silver Peak NX-5000 Firmware | ||
| Silver Peak NX-5000 | ||
| Silver Peak NX-6000 Firmware | ||
| Silver Peak NX-6000 | ||
| Silver Peak NX-7000 Firmware | ||
| Silver Peak NX-7000 | ||
| Silver Peak NX-8000 Firmware | ||
| Silver Peak NX-8000 | ||
| Silver Peak NX-9000 Firmware | ||
| Silver Peak NX-9000 | ||
| Silver Peak NX-10K Firmware | ||
| Silver Peak NX-10K Firmware | ||
| silver-peak nx-11k firmware | ||
| silver-peak nx-11k firmware | ||
| Aruba Networks VX-500 | ||
| Aruba Networks VX-1000 | ||
| Aruba Networks VX-2000 | ||
| Aruba Networks VX-3000 | ||
| Aruba Networks VX-5000 | ||
| Aruba Networks VX-6000 | ||
| Aruba Networks VX-7000 | ||
| Aruba Networks VX 9000 | ||
| Aruba Networks VX-8000 | ||
| Aruba Networks NX-700 | ||
| Aruba Networks NX-1000 | ||
| Aruba Networks NX-2000 | ||
| Aruba Networks NX-3000 | ||
| Aruba Networks NX-5000 | ||
| Aruba Networks NX-6000 | ||
| Aruba Networks NX-7000 | ||
| Aruba Networks NX-8000 | ||
| Aruba Networks NX-9000 | ||
| Aruba Networks NX-10K | ||
| Aruba Networks NX-11K |
Remedy
Resolution • Changes have been made to strengthen the initial exchange between the EdgeConnect appliance and the Cloud Portal. After the changes, EdgeConnect will validate the certificate used to identify the Silver Peak Cloud Portal to EdgeConnect. • TLS itself is continually subject to newly discovered and exploitable vulnerabilities. As such, all versions of EdgeConnect software implement additional out-of-band and user-controlled authentication mechanisms. Any required configuration • Do not change Cloud Portal’s IP address as discovered by the EdgeConnect appliance. • Upgrade to Silver Peak Unity ECOS™ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+. • In Orchestrator, enable the “Verify Portal Certificate” option under Advanced Security Settings.
Remedy
The full details of the CVE can be found at https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_portal_cve_2020_12144.pdf
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-12144?
CVE-2020-12144 is a vulnerability in the Silver Peak Cloud Portal that allows an attacker to establish a TLS connection from EdgeConnect to an untrusted portal due to an unvalidated certificate.
Which Silver Peak products are affected by CVE-2020-12144?
Silver-peak Unity Edgeconnect for Amazon Web Services, Silver-peak Unity Edgeconnect for Azure, Silver-peak Unity Edgeconnect for Google Cloud Platform, and Silver-peak Unity Orchestrator version up to 8.9.2 are affected by CVE-2020-12144.
What is the severity of CVE-2020-12144?
The severity of CVE-2020-12144 is medium, with a severity value of 4.9.
How can I fix CVE-2020-12144?
To fix CVE-2020-12144, it is recommended to apply the necessary updates or patches provided by Silver Peak.
Where can I find more information about CVE-2020-12144?
You can find more information about CVE-2020-12144 at the following reference: https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_portal-cve_2020_12144.pdf
- agent/author
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/title
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/silver-peak
- canonical/silver peak unity edgeconnect
- canonical/silver peak unity orchestrator
- canonical/silver peak vx-500
- canonical/silver peak vx-1000
- canonical/silver peak vx-2000
- canonical/silver peak vx-3000
- canonical/silver peak vx-5000
- canonical/silver peak vx-6000
- canonical/silver peak vx-7000
- canonical/silver peak vx-9000 firmware
- canonical/silver peak vx-9000
- canonical/silver peak vx-8000
- canonical/silver-peak nx-700 firmware
- canonical/silver peak nx-700
- canonical/silver peak nx-1000 firmware
- canonical/silver peak nx-2000 firmware
- canonical/silver peak nx-3000 firmware
- canonical/silver peak nx-5000 firmware
- canonical/silver peak nx-5000
- canonical/silver peak nx-6000 firmware
- canonical/silver peak nx-6000
- canonical/silver peak nx-7000 firmware
- canonical/silver peak nx-7000
- canonical/silver peak nx-8000 firmware
- canonical/silver peak nx-8000
- canonical/silver peak nx-9000 firmware
- canonical/silver peak nx-9000
- canonical/silver peak nx-10k firmware
- canonical/silver-peak nx-11k firmware
- vendor/arubanetworks
- canonical/aruba networks vx-500
- canonical/aruba networks vx-1000
- canonical/aruba networks vx-2000
- canonical/aruba networks vx-3000
- canonical/aruba networks vx-5000
- canonical/aruba networks vx-6000
- canonical/aruba networks vx-7000
- canonical/aruba networks vx 9000
- canonical/aruba networks vx-8000
- canonical/aruba networks nx-700
- canonical/aruba networks nx-1000
- canonical/aruba networks nx-2000
- canonical/aruba networks nx-3000
- canonical/aruba networks nx-5000
- canonical/aruba networks nx-6000
- canonical/aruba networks nx-7000
- canonical/aruba networks nx-8000
- canonical/aruba networks nx-9000
- canonical/aruba networks nx-10k
- canonical/aruba networks nx-11k