Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)

Vendor: Silver Peak
Vendor URL: https://www.silver-peak.com
Versions affected: All EdgeConnect OS versions prior to 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.
Systems Affected: Unity EdgeConnect Appliance & Orchestrator
CVE Identifier: CVE-2020-12148 (nslookup API), CVE-2020-12148 (Management File Upload)
Advisory URL: https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_command_injection_mgmt_file_upload_cve_2020_12149-1.pdf, https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notice_command_injection_via_api_cve_2020_12148-1.pdf 
Risk: Medium – 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) (nsLookup API)
Risk: Medium – 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) (Management file upload)
Authors: Alexander Smye, Jonathan Letham

Summary

Silver Peak’s Unity EdgeConnect offering enables customers to easily setup and manage virtual networks using SD-WAN (Software Defined Wide Area Networking). At a high level it consists of physical or virtual EdgeConnect appliances and the Orchestrator management platform. The EdgeConnect appliances are essentially network devices that are installed at various remote sites within the customer’s estate. These devices connect to each other using encrypted transport tunnels allowing customers to connect remote sites with a virtualised network. The Orchestrator management platform is used to manage these EdgeConnect devices and the virtual network that sits on top of them.

Impact

Two command injection vulnerabilities were discovered in separate locations within the EdgeConnect device software. Both of these vulnerabilities could allow an attacker with credentials for the Orchestrator or local EdgeConnect device credentials to inject arbitrary OS commands which would be executed with elevated privileges. An attacker could exploit this vulnerability to establish an interactive channel with the device, effectively taking full control of the target device.

Details

CVE-2020-12148 (nslookup API) – The EdgeConnect devices contain a feature which is used to perform an nslookup of an arbitrary hostname. This is intended to be used to test network connectivity and configuration. By using a specially crafted payload it was possible to inject arbitrary OS commands. This was possible from either the local web server running on the EdgeConnect device, or the Orchestrator management platform.

CVE-2020-12148 (Management File Upload) – The EdgeConnect devices have the ability to backup and restore their configuration to and from files supplied by a user. The EdgeConnect software was found to directly incorporate the filename of the uploaded file in a subsequent shell command. As a result, it was possible to craft a file with a malicious filename containing arbitrary OS commands which would be executed upon file upload. This was possible from either the local web server running on the EdgeConnect device, or the Orchestrator management platform.

Recommendation

Upgrade EdgeConnect appliance software to ECOS 8.1.9.15+, 8.3.0.8+, 8.3.1.2+, 8.3.2.0+, 9.0.2.0+, or 9.1.0.0+

Vendor Communication

01-10-2020 – Advisory disclosed to Silver Peak
08-10-2020 - Confirmation that Silver Peak are currently fixing issues and will apply a fix in a software update 
11-12-2020 - Security advisory published by Silver Peak Vulnerability fixed in software update