SA15 : Potential Compromise of Private Keys

1042

17 May 2004

17 May 2004

CLOSED

HIGH

SUMMARY


Some Blue Coat Products have a problem that can result in revealing the private key associated with an imported certificate.

ISSUES


Importing a private key through the web-based administrative interface (the management console) results in the private key and its pass-phrase being logged in cleartext on the device. Certain device configurations or administrator actions can result in this information being revealed outside the appliance.

Note that importing a private key via the command-line interface does not expose the private key - this problem is specific to the browser-based interface.

MITIGATION


Customers using these products that have imported a private key through the web-based administrative interface should be aware that the key may have been compromised and are advised to generate a new key pair and certificate, and to replace the existing key pair/certificate with the new one. The existing certificate should be revoked; customers should contact their certificate authority for revocation requirements and procedures.

The new key should be imported via the command line interface if using one of the affected releases.