Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
24 Jun 2016 Closed Medium CVSS v2: 6.9 SA127
The HTTPS web UI in PacketShaper S-Series 11.5 may use insecure cryptographic parameters for incoming management connections. A remote attacker who can be a man-in-the-middle, under certain circumstances, may be able to exploit this vulnerability to obtain user authentication credentials. The attacker can then view/modify appliance configuration and view appliance statistics.
11.6 and later
Not vulnerable, fixed in 22.214.171.124
Upgrade to 126.96.36.199.
11.2 - 11.4
Additional Product Information
The HTTPS server in PacketShaper S-Series provides access to the appliance’s web-based Blue Coat Sky UI and Advanced UI. Blue Coat recommends that the PacketShaper S-Series appliance be deployed in a secure network that restricts access to the appliance management network interfaces. Authenticated users who have access to the management interfaces can access the web UI to perform management tasks, such as to modify appliance settings, configure the traffic classification policy, monitor network usage, and generate reports.
This vulnerability can be exploited only through the PacketShaper S-Series management interfaces. If the appliance management network interfaces are not deployed in a secure network, this increases the threat of exploiting the vulnerability.
Information disclosure, unauthorized modification of data
It was found that the HTTPS server in PacketShaper S-Series 11.5 may use insecure cryptographic parameters for incoming encrypted SSL/TLS connections. A remote attacker who can be a man-in-the-middle, under certain circumstances, may be able to exploit this vulnerability to obtain user authentication credentials and other sensitive information. The attacker can then use the authentication credentials to view or modify the appliance configuration and statistics provided by the web UI and CLI.
Thanks to Kristen Petra Dorey from Western University for reporting the vulnerability.
2016-06-24 initial public release
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.