Entries tagged as edellroot
browser ajax certificate clickjacking content-security-policy cryptography csp dell encryption firefox html https javascript khtml konqueror maninthemiddle microsoft php rss security sni ssl superfish tls vulnerability webcore websecurity xss algorithm android ca cacert ccc cccamp11 certificateauthority cloudflare eff facebook hash observatory openleaks openssl privatekey pss rsa sha1 sha256 symantec taz transvalid updates windowsxp x509 aiglx apache apt badkeys braunschweig bsideshn cccamp cccamp15 certificates chrome chromium cmi compiz crash crypto darmstadt datenschutz deb debian deolalikar diffiehellman diploma diplomarbeit easterhegg email english enigma fedora fortigate fortinet forwardsecrecy gentoo gnupg gpg gsoc hannover http key keyexchange keyserver leak letsencrypt libressl linux math md5 milleniumproblems mitm modulobias mrmcd mrmcd101b nginx nist nss ocsp ocspstapling openbsd openpgp packagemanagement papierlos password pgp pnp privacy provablesecurity random rc2 revocation revoke rpm rsapss schlüssel server sha2 sha512 signatures slides smime stuttgart talk thesis ubuntu unicode university utf-8 verschlüsselung web wordpress aead aes aok berserk bleichenbacher cfb cms gajim jabber joomla otr owncloud poodle update xmpp adguard antivirus breach cookies crime csrf freak heist kaspersky komodia netfiltersdk privdog protocolfilters samesite time 0days 27c3 addresssanitizer adobe afra altushost antivir asan auskunftsanspruch axfr azure barcamp bash berlin bias bigbluebutton blog bodensee botnetz bsi bufferoverflow bugbounty bundesdatenschutzgesetz bundestrojaner bundesverfassungsgericht busby bypass c cbc cellular chcounter clamav clang code conflictofinterest cookie cve dingens distributions dns domain drupal eplus fileexfiltration firewall freesoftware freewvs frequency fsfe ftp fuzzing gallery gcc ghost gimp git glibc gnutls gobi google gsm gstreamer hackerone hacking heartbleed helma infoleak informationdisclosure internetscan ircbot itsecurity jodconverter karlsruhe lessig libreoffice luckythirteen malware mantis memorysafety mephisto mobilephones moodle mozilla mpaa mplayer mrmcd100b multimedia mysql napster nessus newspaper ntp ntpd onlinedurchsuchung openbsc openbts openvas osmocombb padding panda passwordalert passwort passwörter pdo phishing python rand redhat rhein s9y salinecourier science serendipity session shellbot shellshock sicherheit snallygaster sniffing spam sqlinjection squirrelmail staatsanwaltschaft stacktrace study subdomain sunras support tlsdate toendacms überwachung unicef useafterfree userdir virus vlc vortrag vulnerabilities webapps webmontag wiesbaden windows wiretapping xgl xine xsa zerodays zugangsdaten zzuf calendar ipv6 planet stadtmitte bugtracker core coredump github nextcloud segfault webroot webserver
Monday, November 23. 2015
Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections
tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate.It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data.
The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions".
The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection, there are Tools to export such non-exportable certificate keys. A user of the plattform Reddit has posted the Key there.
For users of the affected Laptops this is a severe security risk. Every attacker can use this root certificate to create valid certificates for arbitrary web pages. Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies.
I was made aware of this issue a while ago by Kristof Mattei. We asked Dell for a statement three weeks ago and didn't get any answer.
It is currently unclear which purpose this certificate served. However it seems unliklely that it was placed there deliberately for surveillance purposes. In that case Dell wouldn't have installed the private key on the system.
Affected are only users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers this affects the Internet Explorer, Edge and Chrome. Not affected are Firefox-users, Mozilla's browser has its own certificate store.
Users of Dell laptops can check if they are affected with an online check tool. Affected users should immediately remove the certificate in the Windows certificate manager. The certificate manager can be started by clicking "Start" and typing in "certmgr.msc". The "eDellRoot" certificate can be found under "Trusted Root Certificate Authorities". You also need to remove the file Dell.Foundation.Agent.Plugins.eDell.dll, Dell has now posted an instruction and a removal tool.
This incident is almost identical with the Superfish-incident. Earlier this year it became public that Lenovo had preinstalled a software called Superfish on its Laptops. Superfish intercepts HTTPS-connections to inject ads. It used a root certificate for that and the corresponding private key was part of the software. After that incident several other programs with the same vulnerability were identified, they all used a software module called Komodia. Similar vulnerabilities were found in other software products, for example in Privdog and in the ad blocker Adguard.
This article is mostly a translation of a German article I wrote for Golem.de.
Image source and license: Wistula / Wikimedia Commons, Creative Commons by 3.0
Update (2015-11-24): Second Dell root certificate DSDTestProvider
I just found out that there is a second root certificate installed with some Dell software that causes exactly the same issue. It is named DSDTestProvider and comes with a software called Dell System Detect. Unlike the Dell Foundations Services this one does not need a Dell computer to be installed, therefore it was trivial to extract the certificate and the private key. My online test now checks both certificates. This new certificate is not covered by Dell's removal instructions yet.
Dell has issued an official statement on their blog and in the comment section a user mentioned this DSDTestProvider certificate. After googling what DSD might be I quickly found it. There have been concerns about the security of Dell System Detect before, Malwarebytes has an article about it from April mentioning that it was vulnerable to a remote code execution vulnerability.
Update (2015-11-26): Service tag information disclosure
Another unrelated issue on Dell PCs was discovered in a tool called Dell Foundation Services. It allows webpages to read an unique service tag. There's also an online check.