search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys

Vulnerability Note VU#529496

Original Release Date: 2015-02-19 | Last Revised: 2015-03-17

Overview

Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing

Description

Komodia Redirector SDK is a self-described "interception engine" designed to enable developers to integrate proxy services and web traffic modification (such as ad injection) into their applications. With the SSL Digestor module, HTTPS traffic can also be manipulated. This is accomplished by installing a root CA certificate into browser trusted certificate stores, enabling the proxy to effectively man-in-the-middle all web traffic without raising any flags for the end-user.

In multiple applications implementing Komodia's libraries, such as Superfish Visual Discovery and KeepMyFamilySecure, the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys. Note that these keys appear to be distinct per application, though the same methods have proven successful in revealing the private keys in each instance.

In addition to sharing root CA certificates across installation, it has been reported that the SSL validation that Komodia itself performs is broken. This vulnerability can allow an attacker to universally attack all installations of Komodia Redirector, rather than needing to focus on a single application / certificate.

Users should be aware that uninstalling affected applications is not sufficient to remove the security risk since the root certificates are not removed in the process. Lenovo, whose consumer-grade systems come bundled with the software, have provided instructions and an automated removal tool. A list of potentially affected Lenovo systems is available here.

Users can verify whether their systems contain Superfish and other Komodia root certificates by visiting this site.

Impact

An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Solution

Apply an update

Komodia has updated their vulnerable libraries. Developers who use the Komodia libraries should update their applications.

Users should check vendor websites for updates to affected software and apply them immediately. Given the severity of the issue, users who are unsure that an update addresses the vulnerability are strongly encouraged to consider the following workaround.

Uninstall software using Komodia Redirector SDK and associated root CA certificates

Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. Refer to the Vendor Information section below for an updated list of known affected vendors.

After uninstalling an offending application, it is also necessary to independently remove compromised root CA certificates. Note that the names of these certificates are likely to vary based on the originating application. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store.

Mozilla provides similar guidance for their software, including the Firefox and Thunderbird certificate stores.

Vendor Information

529496
 
Expand all

Atom Security, Inc Affected

Notified:  February 20, 2015 Updated: February 23, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

StaffCop version 5.8 is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DyKnow Affected

Notified:  March 17, 2015 Updated: March 17, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

DyKnow version 5.7 is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Infoweise Affected

Notified:  February 22, 2015 Updated: February 22, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

Infoweise SecureTeen Windows Parental Control is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KeepMyFamilySecure Affected

Notified:  February 19, 2015 Updated: February 23, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

KeepMyFamilySecure is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Komodia Affected

Notified:  February 19, 2015 Updated: March 02, 2015

Statement Date:   March 01, 2015

Status

Affected

Vendor Statement

http://www.komodia.com/security-notice

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

Komodia Redirector with SSL Digestor is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Kurupira Affected

Updated:  February 20, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Lavasoft Affected

Notified:  February 20, 2015 Updated: February 25, 2015

Statement Date:   February 23, 2015

Status

Affected

Vendor Statement

Here's the official statement from the company (on our website), announcing the
updated release which is now live:


http://webcompanion.com/komodia-vulnerability-statement

Vendor Information

* For the past year, Lavasoft was developing and testing a new security feature in Ad-Aware Web Companion to scan and eliminate malicious content/advertising in HTTPS traffic, including content injected by internet proxies installed on the PC.
* This functionality was implemented with one of Komodia's public SDKs (the SSL Digestor). At no point was any encrypted information collected or analyzed. All analysis of incoming traffic to eliminate security risks was performed on the end-user's PC.
* Several weeks prior to the public announcement of the root CA certificate vulnerability, and upon consultation with our partners and evaluation of the risks/benefits, Lavasoft took the decision to remove the functionality that required the SSL Digestor.
* Lavasoft's most recent release of Ad-Aware Web Companion (released on February 18th 2015) does not include this capability, but we have confirmed that the compromised component of the Komodia SSL Digestor is still present. A new release of Web Companion will be issued imminently to correct this, with all end-users being notified of the update via the product. In the interim, the root CA certificate issued to "Lavasoft Limited" can be removed manually without consequences to the product.
* Ad-Aware AdBlocker (alpha) 1.3.69.1 is an unreleased and unsupported product. Alpha testers who have not uninstalled it by now are instructed to do so immediately, and to manually check to ensure the root CA certificate has been deleted as we cannot guarantee the effectiveness of the uninstaller in this pre-released version.

Vendor References

Addendum

Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1 are affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo Affected

Notified:  February 19, 2015 Updated: February 23, 2015

Statement Date:   February 19, 2015

Status

Affected

Vendor Statement

Please refer to our security advisory posted here:
http://support.lenovo.com/us/en/product_security/superfish

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

For a list of affected Lenovo products, please visit the security advisory provided in the vendor statement.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Qustodio Affected

Notified:  February 19, 2015 Updated: February 26, 2015

Statement Date:   February 20, 2015

Status

Affected

Vendor Statement

http://www.qustodio.com/en/blog/2015/02/qustodio-publishes-security-fix-windows-component-vulnerability

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

Qustodio for Windows is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Superfish Affected

Notified:  February 19, 2015 Updated: February 23, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Superfish Visual Discovery is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

UtilTool Ltd Affected

Notified:  March 02, 2015 Updated: March 02, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

UtilTool Antivirus version 3.3.71 is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Websecure Ltd Affected

Notified:  February 20, 2015 Updated: February 26, 2015

Statement Date:   February 25, 2015

Status

Affected

Vendor Statement

Yesterday we released an update update to our software (Easy-Hide-IP VPN 3.0.2) that includes an updated version of Komodia WITHOUT the SSL component. The SSL component was used in Easy-Hide-IP Classic 5.0.0.3 to filter prvacy risks but is no longer included in the latest version application. Existing Easy-Hide-IP users are now being migrated to the combined VPN/Classic client and the old client is being retired.

The Komodia team have assured us that this version is 100% clear of any SSL modification.

Please let us know if you have any questions or comments.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Easy Hide IP Classic version 5.0.0.3.1 is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 12 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 8.5 AV:N/AC:L/Au:N/C:C/I:P/A:N
Temporal 8.1 E:H/RL:W/RC:C
Environmental 8.6 CDP:LM/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

The CERT/CC wishes to thank the following for their contributions to this report:Marc Rogers, https://twitter.com/marcwrogersRob Graham, https://twitter.com/erratarobTwitter user TheWack0lian https://twitter.com/TheWack0lianChris Palmer, https://twitter.com/fugueishFilippo Valsorda, https://twitter.com/FiloSottile

This document was produced as a collaborative effort of the CERT/CC Vulnerability Analysis team.

Other Information

CVE IDs: None
Date Public: 2015-02-19
Date First Published: 2015-02-19
Date Last Updated: 2015-03-17 18:21 UTC
Document Revision: 130

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis