Overview
Dell Foundation Services installs the eDellRoot certificate into theTrusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key. This allows attackers to create trusted certificates and perform impersonation, man-in-the-middle (MiTM), and passive decryption attacks, resulting in the exposure of sensitive information.
Description
Dell Foundation Services (DFS) is a remote support component that is pre-installed on some Dell systems. DFS installs a trusted root certificate (eDellRoot) that includes the private key. This certificate was first installed in August 2015. Dell systems that have been re-imaged or do not otherwise have DFS installed are not affected. ZMap has provided a page to test for this vulnerability: https://zmap.io/dell/ |
Impact
An attacker can generate certificates signed by the eDellRoot CA. Systems that trusts the eDellRoot CA will trust any certificate issued by the CA. An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data. Common attack scenarios include impersonating a web site, performing a MiTM attack to decrypt HTTPS traffic, and installing malicious software. |
Solution
Mark eDellRoot certificate as untrusted |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Temporal | 8.2 | E:H/RL:OF/RC:C |
Environmental | 6.5 | CDP:ND/TD:M/CR:H/IR:H/AR:ND |
References
- http://www.dell.com/support/article/us/en/19/SLN300321
- http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate
- https://dellupdater.dell.com/Downloads/APP009/eDellRootCertRemovalInstructions.docx
- https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe
- http://joenord.blogspot.in/2015/11/new-dell-computer-comes-with-edellroot.html
- https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html
- https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-privates
- https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/
- https://twitter.com/bquintero/status/668907167173484545
- http://huagati.blogspot.com/2015/07/do-you-know-which-cas-can-issue-ssltls.html
- https://technet.microsoft.com/en-us/library/dn265983.aspx
- https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
- https://technet.microsoft.com/en-us/library/security/3119884.aspx
Acknowledgements
Dell credits Hanno Bཬk, Joe Nord and Kevin Hicks (rotorcowboy).
This document was written by Art Manion.
Other Information
CVE IDs: | None |
Date Public: | 2015-11-23 |
Date First Published: | 2015-11-24 |
Date Last Updated: | 2015-12-01 19:21 UTC |
Document Revision: | 47 |