SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Blue Coat ProxySG Vendors:   Blue Coat Systems
Blue Coat ProxySG May Disclose Private Key to Remote Users
SecurityTracker Alert ID:  1010192
SecurityTracker URL:  http://securitytracker.com/id/1010192
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 18 2004
Impact:   Disclosure of authentication information

Version(s): 3.x
Description:   An authentication information disclosure vulnerability was reported in Blue Coat ProxySG. A remote user may be able to obtain a private key.

Blue Coat reported that version SG 3.x may reveal the private key associated with an imported certificate.

According to the advisory, the private key and its pass-phrase is logged in cleartext when a private key is imported via the web-based management console. This information may be disclosed to remote users.

Impact:   The device may disclose a private key to remote users.
Solution:   The vendor has released a fix:

SGOS 3.1.3.14:

http://download.bluecoat.com/release/SGOS3/index.html

SGOS 3.2.1.1:

http://download.bluecoat.com/release/SGOS3/index.html

The vendor advises customers that have imported a private key through the web-based administrative interface should consider the key to be compromised and should generate a new key pair and certificate.

Vendor URL:  www.bluecoat.com/support/knowledge/advisory_private_key_compromise.html (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  http://www.bluecoat.com/support/knowledge/advisory_private_key_compromise.html


http://www.bluecoat.com/support/knowledge/advisory_private_key_compromise.html

 > Security Advisory: Potential Compromise of Private Keys
 >
 > Date:
 > May 17, 2004
 >
 > Severity:
 > High

Blue Coat reported that SG 3.x may reveal the private key associated with an imported 
certificate.

According to the advisory, the private key and its pass-phrase is logged in cleartext when 
a private key is imported via the web-based management console.  This information may be 
disclosed to remote users

The vendor advises customers that have imported a private key through the web-based 
administrative interface should consider the key to be compromised and should generate a 
new key pair and certificate.

The vendor has released a fix:

SGOS 3.1.3.14:

http://download.bluecoat.com/release/SGOS3/index.html

SGOS 3.2.1.1:

http://download.bluecoat.com/release/SGOS3/index.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC