CVE-2020-12142 MEDIUM

CVE-2020-12142: IPSec UDP key material can be retrieved from EdgeConnect by a user with admin credentials

Vendor Silver Peak Systems, Inc.
Product 1. Unity EdgeConnect, NX, VX 2. Unity Orchestrator,   3. EdgeConnect in AWS, Azure, GCP
Weakness CWE-668
Published May 5, 2020
Last update August 4, 2024

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

1. IPSec UDP key material can be retrieved from machine-to-machine interfaces and human-accessible interfaces by a user with admin credentials. Such a user, with the required system knowledge, could use this material to decrypt in-flight communication. 2. The vulnerability requires administrative access and shell access to the EdgeConnect appliance. An admin user can access IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell.

Key dates

02Disclosure timeline

May 5, 2020 CVE published
August 4, 2024 Record updated