SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Blue Coat ProxySG Vendors:   Blue Coat Systems
Blue Coat ProxySG SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
SecurityTracker Alert ID:  1031105
SecurityTracker URL:  http://securitytracker.com/id/1031105
CVE Reference:   CVE-2014-3566   (Links to External Site)
Date:  Oct 22 2014
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Blue Coat ProxySG. A remote user can decrypt SSL sessions in certain cases.

A remote user can with the ability to conduct a man-in-the-middle attack can force a client to negotiate a downgrade to SSLv3 instead of a TLS v1.x protocol and then conduct a BEAST-style of attack to decrypt portions of the session.

This protocol vulnerability is referred to as the POODLE ("Padding Oracle On Downgraded Legacy Encryption") vulnerability.

This is a flaw in the protocol rather than in the SSL implementation.

The original advisory is available at:

https://www.openssl.org/~bodo/ssl-poodle.pdf

Bodo Moller, Thai Duong, and Krzysztof Kotowicz reported this vulnerability.

Impact:   A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL sessions.
Solution:   No solution was available at the time of this entry.

The vendor notes that SGOS version 6.5 disables SSL 3.0 by default for all connections other than SSL/TLS proxy and that SSL 3.0 can be disabled for SSL/TLS proxy.

The vendor notes that SGOS versions 5.5 and 6.1 thru 6.4 enable SSL 3.0 by default for all connections and that SSL 3.0 can be disabled for all connections.

The vendor has described a workaround in their advisory.

The vendor's advisory is available at:

https://bto.bluecoat.com/security-advisory/sa83

Vendor URL:  bto.bluecoat.com/security-advisory/sa83 (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC