Monday, November 23. 2015
Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections
tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate.It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data.
The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions".
The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection, there are Tools to export such non-exportable certificate keys. A user of the plattform Reddit has posted the Key there.
For users of the affected Laptops this is a severe security risk. Every attacker can use this root certificate to create valid certificates for arbitrary web pages. Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies.
I was made aware of this issue a while ago by Kristof Mattei. We asked Dell for a statement three weeks ago and didn't get any answer.
It is currently unclear which purpose this certificate served. However it seems unliklely that it was placed there deliberately for surveillance purposes. In that case Dell wouldn't have installed the private key on the system.
Affected are only users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers this affects the Internet Explorer, Edge and Chrome. Not affected are Firefox-users, Mozilla's browser has its own certificate store.
Users of Dell laptops can check if they are affected with an online check tool. Affected users should immediately remove the certificate in the Windows certificate manager. The certificate manager can be started by clicking "Start" and typing in "certmgr.msc". The "eDellRoot" certificate can be found under "Trusted Root Certificate Authorities". You also need to remove the file Dell.Foundation.Agent.Plugins.eDell.dll, Dell has now posted an instruction and a removal tool.
This incident is almost identical with the Superfish-incident. Earlier this year it became public that Lenovo had preinstalled a software called Superfish on its Laptops. Superfish intercepts HTTPS-connections to inject ads. It used a root certificate for that and the corresponding private key was part of the software. After that incident several other programs with the same vulnerability were identified, they all used a software module called Komodia. Similar vulnerabilities were found in other software products, for example in Privdog and in the ad blocker Adguard.
This article is mostly a translation of a German article I wrote for Golem.de.
Image source and license: Wistula / Wikimedia Commons, Creative Commons by 3.0
Update (2015-11-24): Second Dell root certificate DSDTestProvider
I just found out that there is a second root certificate installed with some Dell software that causes exactly the same issue. It is named DSDTestProvider and comes with a software called Dell System Detect. Unlike the Dell Foundations Services this one does not need a Dell computer to be installed, therefore it was trivial to extract the certificate and the private key. My online test now checks both certificates. This new certificate is not covered by Dell's removal instructions yet.
Dell has issued an official statement on their blog and in the comment section a user mentioned this DSDTestProvider certificate. After googling what DSD might be I quickly found it. There have been concerns about the security of Dell System Detect before, Malwarebytes has an article about it from April mentioning that it was vulnerable to a remote code execution vulnerability.
Update (2015-11-26): Service tag information disclosure
Another unrelated issue on Dell PCs was discovered in a tool called Dell Foundation Services. It allows webpages to read an unique service tag. There's also an online check.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
It's not just laptops, it's their desktops too.
There's a Dell XPS 8700 desktop here that I have confirmed, has the bad certificate. There's a second one that we've set up for our office network but haven't yet pressed into service, and I'm thinking there's a good chance it has the certificate too.
I've deleted it from the machine I checked. I'll have to locate the other one.
http://forums.theregister.co.uk/forum/containing/2705367 suggests that it re-incarnates after deletion too. I'll be keeping a close eye on that machine though to see if the certificate comes back.
There's a Dell XPS 8700 desktop here that I have confirmed, has the bad certificate. There's a second one that we've set up for our office network but haven't yet pressed into service, and I'm thinking there's a good chance it has the certificate too.
I've deleted it from the machine I checked. I'll have to locate the other one.
http://forums.theregister.co.uk/forum/containing/2705367 suggests that it re-incarnates after deletion too. I'll be keeping a close eye on that machine though to see if the certificate comes back.
You get rid of the certificate by performing following actions:
1) Stop and Disable Dell Foundations Service 2) Delete eDellRoot CA registry key here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\98A04E4163357790C4A79E6D713FF0AF51FE6927
Then reboot and test.
1) Stop and Disable Dell Foundations Service 2) Delete eDellRoot CA registry key here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\98A04E4163357790C4A79E6D713FF0AF51FE6927
Then reboot and test.
Just tried your instructions, sort-of (I did the deletion first through certmgr.msc).
Stopped and disabled the "Dell Foundations Service" then did a reboot. So far, so good. We'll be keeping an eye on the affected machine.
We have two machines both bought the same day, one has the certificate, the other does not. The one without was kept in a box the past month.
Not sure if the bad certificate has always been on the affected box or if it was since downloaded.
Apparently the certificate is being revoked automatically for some: http://forums.theregister.co.uk/forum/containing/2705481
Stopped and disabled the "Dell Foundations Service" then did a reboot. So far, so good. We'll be keeping an eye on the affected machine.
We have two machines both bought the same day, one has the certificate, the other does not. The one without was kept in a box the past month.
Not sure if the bad certificate has always been on the affected box or if it was since downloaded.
Apparently the certificate is being revoked automatically for some: http://forums.theregister.co.uk/forum/containing/2705481
Hi, I'm Laura and I work for Dell.
Customer security and privacy is a top concern and priority for Dell, so I apologize that your attempts to contact us went unanswered.
The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support. We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.
Customer security and privacy is a top concern and priority for Dell, so I apologize that your attempts to contact us went unanswered.
The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support. We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.
Just wanted to follow-up with link to additional information and removal instructions now available here: http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate
Help: I recently purchased a Dell laptop and need assistance relating to this. I'm not very computer literate. Could someone contact me and assist me.
Tom Moreland
Tom Moreland
Hi Tom,
Me neither!
Here, this should help you. There is an automatic tool you can download from Dell's site. http://www.dell.com/support/article/uk/en/ukdhs1/SLN300321/en?c=uk&s=gen&cs=&l=en
All the best,
Sarah
Me neither!
Here, this should help you. There is an automatic tool you can download from Dell's site. http://www.dell.com/support/article/uk/en/ukdhs1/SLN300321/en?c=uk&s=gen&cs=&l=en
All the best,
Sarah