Vigil@nce: Blue Coat ProxySG, obsolete list of certification authorities
March 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
The Blue Coat ProxySG appliance accepts certificates signed by
certification authorities which are untrusted.
– Severity: 2/4
– Creation date: 16/02/2012
IMPACTED PRODUCTS
– Blue Coat ProxySG
DESCRIPTION OF THE VULNERABILITY
The Blue Coat product has a list of root certificates, published
by trusted certification authorities.
Before ProxySG 6.3, this list was only updated during the upgrade
of SGOS. Since ProxySG 6.3, this list is updated every seven days.
On most installations, this list is thus obsolete, and contains
authorities which are not trusted anymore. An attacker who owns a
certificate signed by one of theses authorities can thus continue
to propose a web service, which is not detected as malicious by
ProxySG.
The Blue Coat ProxySG appliance therefore accepts certificates
signed by certification authorities which are untrusted.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Blue-Coat-ProxySG-obsolete-list-of-certification-authorities-11374