CVE-2015-1454 - Blue Coat ProxyClient before 3.3.3.3 and 3.4.x before 3.4.4.10 and Unified Agent before 4.1.3.151952

CVE-2015-1454

Summary

Blue Coat ProxyClient before 3.3.3.3 and 3.4.x before 3.4.4.10 and Unified Agent before 4.1.3.151952 does not properly validate certain certificates, which allows man-in-the-middle attackers to spoof ProxySG Client Managers, and consequently modify configurations and execute arbitrary software updates, via a crafted certificate.

References

Vulnerable Configurations

cpe:2.3:a:bluecoat:proxyclient:3.3:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:proxyclient:3.3:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:proxyclient:3.3.3.2:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:proxyclient:3.3.3.2:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:proxyclient:3.4:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:proxyclient:3.4:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:proxyclient:3.4.4.9:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:proxyclient:3.4.4.9:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:unified_agent:4.1.3:*:*:*:*:*:*:*
cpe:2.3:a:bluecoat:unified_agent:4.1.3:*:*:*:*:*:*:*

CVSS

Base:	7.1 (as of 05-02-2019 - 18:13)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	COMPLETE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:C/A:N

refmap via4

confirm	https://bto.bluecoat.com/security-advisory/sa89
secunia	62617

Last major update

05-02-2019 - 18:13

Published

02-02-2015 - 16:59

Last modified

05-02-2019 - 18:13