{"containers":{"cna":{"affected":[{"product":"1. Unity EdgeConnect, NX, VX 2. Unity Orchestrator,   3. EdgeConnect in AWS, Azure, GCP","vendor":"Silver Peak Systems, Inc.","versions":[{"status":"affected","version":"All versions affected prior to Silver Peak Unity ECOS™ 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+"}]}],"configurations":[{"lang":"en","value":"Any required configuration\n•\tDo not change Orchestrator’s IP address as discovered by the EdgeConnect appliance. \n•\tUpgrade to Silver Peak Unity ECOS™ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+. \n•\tIn Orchestrator, enable the “Verify Orchestrator Certificate” option under Advanced Security Settings. \n\nSolution link - References \n             The full details of the CVE can be found at https://www.cvedetails.com/cve/CVE-2020-12143."}],"credits":[{"lang":"en","value":"This vulnerability was reported to Silver Peak by Denis Kolegov, Mariya Nedyak, and Anton Nikolaev from the SD-WAN New Hop team."}],"descriptions":[{"lang":"en","value":"The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-295","description":"CWE-295: Improper Certificate Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2020-05-07T16:58:22.000Z","orgId":"83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c","shortName":"Silver Peak"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_orchestrator-cve_2020_12143.pdf"}],"solutions":[{"lang":"en","value":"Any required configuration\n•\tDo not change Orchestrator’s IP address as discovered by the EdgeConnect appliance. \n•\tUpgrade to Silver Peak Unity ECOS™ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+. \n•\tIn Orchestrator, enable the “Verify Orchestrator Certificate” option under Advanced Security Settings. \n\nSolution link - References \n             The full details of the CVE can be found at https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_orchestrator_cve_2020_12143.pdf"}],"source":{"advisory":"2020 -04-24-001- 002","discovery":"EXTERNAL"},"title":"The certificate used to identify Orchestrator to EdgeConnect devices is not validated","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"sirt@silver-peak.com","ID":"CVE-2020-12143","STATE":"PUBLIC","TITLE":"The certificate used to identify Orchestrator to EdgeConnect devices is not validated"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"1. Unity EdgeConnect, NX, VX 2. Unity Orchestrator,   3. EdgeConnect in AWS, Azure, GCP","version":{"version_data":[{"version_name":"All versions affected prior to Silver Peak Unity ECOS™ 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+","version_value":"All versions affected prior to Silver Peak Unity ECOS™ 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+"}]}}]},"vendor_name":"Silver Peak Systems, Inc."}]}},"configuration":[{"lang":"en","value":"Any required configuration\n•\tDo not change Orchestrator’s IP address as discovered by the EdgeConnect appliance. \n•\tUpgrade to Silver Peak Unity ECOS™ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+. \n•\tIn Orchestrator, enable the “Verify Orchestrator Certificate” option under Advanced Security Settings. \n\nSolution link - References \n             The full details of the CVE can be found at https://www.cvedetails.com/cve/CVE-2020-12143."}],"credit":[{"lang":"eng","value":"This vulnerability was reported to Silver Peak by Denis Kolegov, Mariya Nedyak, and Anton Nikolaev from the SD-WAN New Hop team."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-295: Improper Certificate Validation"}]}]},"references":{"reference_data":[{"name":"https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_orchestrator-cve_2020_12143.pdf","refsource":"CONFIRM","url":"https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_orchestrator-cve_2020_12143.pdf"}]},"solution":[{"lang":"en","value":"Any required configuration\n•\tDo not change Orchestrator’s IP address as discovered by the EdgeConnect appliance. \n•\tUpgrade to Silver Peak Unity ECOS™ 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator™ 8.9.2+. \n•\tIn Orchestrator, enable the “Verify Orchestrator Certificate” option under Advanced Security Settings. \n\nSolution link - References \n             The full details of the CVE can be found at https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_orchestrator_cve_2020_12143.pdf"}],"source":{"advisory":"2020 -04-24-001- 002","discovery":"EXTERNAL"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T11:48:58.488Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_rogue_orchestrator-cve_2020_12143.pdf"}]}]},"cveMetadata":{"assignerOrgId":"83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c","assignerShortName":"Silver Peak","cveId":"CVE-2020-12143","datePublished":"2020-05-05T19:53:56.000Z","dateReserved":"2020-04-24T00:00:00.000Z","dateUpdated":"2024-08-04T11:48:58.488Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}