CVE-2020-12145
published 2020-11-05CVE-2020-12145: Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.05%
92.5th percentile
Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silver-peak | unity_orchestrator | < 8.9.11\+ | 8.9.11\+ |
| silver-peak | unity_orchestrator | >= 8.10 < 8.10.11\+ | 8.10.11\+ |
| silver-peak | unity_orchestrator | >= 9.0 < 9.0.1\+ | 9.0.1\+ |
| silver_peak_systems_inc | unity_orchestrator | — | — |
| silver_peak_systems_inc | unity_orchestrator | — | — |
| silver_peak_systems_inc | unity_orchestrator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/gms/rest/debugFiles/delete
path../phantomGenImg.js
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.host; pcre:"/(?:localhost|127\.0\.0\.1)/"; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:2; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_04;)
- →Authentication bypass is triggered by setting the HTTP Host header to '127.0.0.1' or 'localhost' in REST API requests to Silver Peak Unity Orchestrator. ↗
- →Exploitation traffic uses HTTP POST method targeting the /gms/rest/debugFiles/delete URI with a Host header matching localhost or 127.0.0.1.
- →The request body contains a path traversal string '../phantomGenImg.js', indicating chained exploitation with CVE-2020-12146 (file deletion/manipulation).
- →The Suricata/Snort rule (sid:2031494) can be deployed at both Perimeter and Internal network positions to detect inbound exploitation attempts.
- ·The CVE-2020-12145 authentication bypass relies on HTTP headers and only affects Orchestrator instances accessible via HTTP (not necessarily HTTPS-only deployments). On-premise and public cloud-hosted instances are both in scope. ↗
- ·The Suricata rule references both CVE-2020-12145 (auth bypass) and CVE-2020-12146 (the chained vulnerability exploited via the /gms/rest/debugFiles/delete endpoint); defenders should treat these as a combined exploit chain.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)
suricata·2021-01-07·CVSS 6.6
CVE-2020-12146 [MEDIUM] ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)
ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.host; pcre:"/(?:localhost|127\.0\.0\.1)/"; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:2; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Interna
No public exploits indexed.
No writeups or analysis indexed.
2020-11-05
Published