8.5
CWE
78 77
Advisory Published
Updated

CVE-2020-12148: OS Command Injection - nslookup API

First published: Fri Dec 11 2020(Updated: )

A command injection flaw identified in the nslookup API in Silver Peak Unity ECOSTM (ECOS) appliance software could allow an attacker to execute arbitrary commands with the privileges of the web server running on the EdgeConnect appliance. An attacker could exploit this vulnerability to establish an interactive channel, effectively taking control of the target system. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all ECOS versions prior to : 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.

Credit: sirt@silver-peak.com sirt@silver-peak.com

Affected SoftwareAffected VersionHow to fix
Silver-peak Ecos>=8.1<8.1.9.15
Silver-peak Ecos>=8.3.0<8.3.0.8
Silver-peak Ecos>=8.3.1<8.3.1.2
Silver-peak Ecos>=9.0<9.0.2.0
Silver-peak Vx-1000
Silver-peak Vx-2000
Silver-peak Vx-3000
Silver-peak Vx-500
Silver-peak Vx-5000
Silver-peak Vx-6000
Silver-peak Vx-7000
Silver-peak Vx-8000
Silver-peak Vx-9000
Silver-peak Nx-10700
Silver-peak Nx-11700
Silver-peak Nx-1700
Silver-peak Nx-2700
Silver-peak Nx-3700
Silver-peak Nx-5700
Silver-peak Nx-6700
Silver-peak Nx-700
Silver-peak Nx-7700
Silver-peak Nx-8700
Silver-peak Nx-9700
Silver-peak Unity Edgeconnect
All of
Any of
Arubanetworks Edgeconnect Enterprise>=8.1<8.1.9.15
Arubanetworks Edgeconnect Enterprise>=8.3.0<8.3.0.8
Arubanetworks Edgeconnect Enterprise>=8.3.1<8.3.1.2
Arubanetworks Edgeconnect Enterprise>=9.0<9.0.2.0
Any of
Arubanetworks Vx-1000
Arubanetworks Vx-2000
Arubanetworks Vx-3000
Arubanetworks Vx-500
Arubanetworks Vx-5000
Arubanetworks Vx-6000
Arubanetworks Vx-7000
Arubanetworks Vx-8000
Arubanetworks Vx-9000
Arubanetworks Nx-10700
Arubanetworks Nx-11700
Arubanetworks Nx-1700
Arubanetworks Nx-2700
Arubanetworks Nx-3700
Arubanetworks Nx-5700
Arubanetworks Nx-6700
Arubanetworks Nx-700
Arubanetworks Nx-7700
Arubanetworks Nx-8700
Arubanetworks Nx-9700

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the vulnerability ID for this command injection flaw?

    The vulnerability ID for this command injection flaw is CVE-2020-12148.

  • What is the affected software?

    The affected software is Silver Peak Unity ECOSTM (ECOS) appliance software.

  • What is the severity of CVE-2020-12148?

    The severity of CVE-2020-12148 is high.

  • How can an attacker exploit this vulnerability?

    An attacker can exploit this vulnerability by executing arbitrary commands with the privileges of the web server running on the EdgeConnect appliance.

  • Are there any available fixes for this vulnerability?

    Please refer to the Silver Peak website for available fixes and patches.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203