February 15, 2012 - Update to ProxySG browser trusted CCL
Medium, CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
No CVEs are associated with this vulnerability.
The list of browser trusted CA certificates has been updated to remove untrusted and expired CAs and to add new trusted CAs. An attacker who can obtain a certificate from an untrusted CA that is still trusted by ProxySG can pose as a legitimate OCS to harvest confidential user information and to deliver malware to the client.
All versions of ProxySG prior to 6.3 that are configured to intercept SSL traffic and use the default
When the ProxySG appliance intercepts an HTTPS connection, it terminates the client request and then initiates a new request to the OCS, posing as the client. It is critical that the ProxySG have an up-to-date list of trusted CA certificates to ensure that the OCS is authenticated and the connection is trustworthy. The ProxySG appliance uses its built-in
Using an out-of-date browser-trusted CCL can result in trusting the certificate of an OCS that should not be trusted when proxying a client connection. An attacker can use this misplaced trust to pose as a legitimate OCS to harvest confidential user information and to deliver malware to the client. Using an out-of date
In versions prior to 6.3, the ProxySG appliance’s list of
This update to the
The CAs that were deleted are listed below as they are named in the browser trusted CCL.
The CAs that were added are listed below as they are named in the browser trusted CCL.
Customers are encouraged to regularly inspect their
ProxySG 6.3 - a fix is available in 220.127.116.11. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/9063.
ProxySG 6.2 - a fix is available in 18.104.22.168. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/7375.
ProxySG 6.1 - a fix is not yet available.
ProxySG 5.5 - a partial fix is available in 22.214.171.124. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41. All CA certificates that should be deleted are deleted. Only a subset of the CA certificates that should be added are added. No further updates are planned in 5.5 to add the remaining CA certificates.
ProxySG 5.4 - a fix is available in 126.96.36.199. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/17.
ProxySG 5.3 - please update to a later version.
For more information on the
2013-10-17 Updated Patches information for SGOS 6.2, 5.4, and 5.3.
2012-05-09 Notification of a partial fix for 5.5.
2012-04-02 Added list of deleted and added CAs.
2012-02-15 Initial public release
Rate this Page
Please take a moment to complete this form to help us better serve you.