SA15 : Potential Compromise of Private Keys
1042
17 May 2004
17 May 2004
CLOSED
HIGH
SUMMARY
Some Blue Coat Products have a problem that can result in revealing the private key associated with an imported certificate.
ISSUES
Importing a private key through the web-based administrative interface (the management console) results in the private key and its pass-phrase being logged in cleartext on the device. Certain device configurations or administrator actions can result in this information being revealed outside the appliance.
Note that importing a private key via the command-line interface does not expose the private key - this problem is specific to the browser-based interface.
MITIGATION
Customers using these products that have imported a private key through the web-based administrative interface should be aware that the key may have been compromised and are advised to generate a new key pair and certificate, and to replace the existing key pair/certificate with the new one. The existing certificate should be revoked; customers should contact their certificate authority for revocation requirements and procedures.
The new key should be imported via the command line interface if using one of the affected releases.