Update to ProxySG browser trusted CCL
The list of browser trusted CA certificates has been updated to remove untrusted and expired CAs and to add new trusted CAs. An attacker who can obtain a certificate from an untrusted CA that is still trusted by ProxySG can pose as a legitimate OCS to harvest confidential user information and to deliver malware to the client.
All versions of ProxySG prior to 6.3 that are configured to intercept SSL traffic and use the default browser-trusted CCL for OCS certificate validation are vulnerable.
When the ProxySG appliance intercepts an HTTPS connection, it terminates the client request and then initiates a new request to the OCS, posing as the client. It is critical that the ProxySG have an up-to-date list of trusted CA certificates to ensure that the OCS is authenticated and the connection is trustworthy. The ProxySG appliance uses its built-in browser-trusted CA Certificate List (CCL) for this purpose by default. The browser-trusted CCL includes most of the well-known CAs trusted by common browsers such as Internet Explorer and Firefox. An administrator can add and remove CAs from this list.
Using an out-of-date browser-trusted CCL can result in trusting the certificate of an OCS that should not be trusted when proxying a client connection. An attacker can use this misplaced trust to pose as a legitimate OCS to harvest confidential user information and to deliver malware to the client. Using an out-of date browser-trusted CCL can also result in failing to trust certificates of an OCS that should be trusted.
In versions prior to 6.3, the ProxySG appliance’s list of browser-trusted CAs is automatically updated only upon SGOS upgrade. In version 6.3 the Downloadable CA List feature was added to allow the appliance to automatically download an updated browser-trusted list of CAs every seven days by default. Please refer to the ProxySG Administrator's Guide for more information.
This update to the browser-trusted CCL removes 38 CAs that should not be trusted or that have expired. It also and adds 170 new CAs that are trusted by most browsers.
The CAs that were deleted are listed below as they are named in the browser trusted CCL.
The CAs that were added are listed below as they are named in the browser trusted CCL.
Customers are encouraged to regularly inspect their browser-trusted list of CAs to ensure that they trust only those CAs that they believe should be trusted. Certificates that are expired or that are no longer trusted, including those listed in this advisory, should be removed.
ProxySG 6.3 - a fix is available in 220.127.116.11. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/9063.
ProxySG 6.2 - a fix is available in 18.104.22.168. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/7375.
ProxySG 6.1 - a fix will not be provided. Please upgrade to a later version that has the vulnerability fix.
ProxySG 5.5 - a partial fix is available in 22.214.171.124. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41. All CA certificates that should be deleted are deleted. Only a subset of the CA certificates that should be added are added. No further updates are planned in 5.5 to add the remaining CA certificates.
ProxySG 5.4 - a fix is available in 126.96.36.199. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/17.
ProxySG 5.3 - please update to a later version.
For more information on the browser-trusted CCL, see the "Managing SSL Traffic" chapter of the SGOS Administration Guide. For 6.x the guide is located at https://bto.bluecoat.com/documentation/pubs/ProxySG.
2015-01-27 SGOS 6.1 will not be fixed. Marked as Final.
2013-10-17 Updated Patches information for SGOS 6.2, 5.4, and 5.3.
2012-05-09 Notification of a partial fix for 5.5.
2012-04-02 Added list of deleted and added CAs.
2012-02-15 Initial public release