Is Dell shipping their computers with rogue root CA similar to Lenovo and Superfish?

Discussion in 'other security issues & news' started by acr1965, Nov 23, 2015.

  1. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The fact that he uploaded the private key for the world to view does now make it a security issue.

    If Dell did issue certs all with the same private key, it is a security vulnerability.
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes they did. I was able to sign a binary with the private key. It validates on recent Dell machines (in my case an XPS8900).
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You inform Dell of the issue? With that private key now disclosed anyone with a Dell PC with the root CA in question installed is at risk.

    I would say to untrust that root CA for the time being. Have no idea what the impact of this would be. If Dell has monitoring software that is signed with the cert. and the person also monitoring for valid signed certs., it could bork the entire PC.
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Dell is aware. The private key was disclosed in the Reddit thread.

    You are right, everyone with a new Dell computer is greatly at risk. All because Dell put the PRIVATE key on every system. Its called private for a reason. You don't publically put it out there.
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    Seriously guys, what's going on with these people like Dell, Lenovo? Should I be too naive to believe a mistake or n00b engineers working there? What's behind all this if anyone knows the risks involved?
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Think you meant "same" private key on every system"? That is the no-no. Even Eset who issues that same root CA to everyone for SSL protocol scanning has the smarts to issue a unique private key for each installation.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The bad guys have in all likelhood already downloaded the Dell root CA in question, installed it, and are now using the disclosed private key to sign their malware with.

    If I had a Dell PC with that root cert installed, I would open up cermgr.msc and move that root cert. to the untrusted area. Like I said previously if you have security software that is monitoring signed exe's and dll's, this could cause any resultant Dell software to fail that is signed using the root CA is question. Your call on this one.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    Thanks for your explanation.
     
  11. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
    The original blogpost by the guy who "found" this and mentioned it on twitter: http://joenord.blogspot.com/2015/11/new-dell-computer-comes-with-edellroot.html

    Also apparently with the only comment by Dell so far (before the real ********* breaks loose): http://joenord.blogspot.com/2015/11...?showComment=1448298983454#c56662010323642857 (I guess that's her: https://twitter.com/lpt)

    Also: This. (There's another Root CA bundled with its private key and with all intended purposes activated, called "DSDTestProvider" on some laptops.)
     
  12. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    It's done on purpose almost everywhere. This superfish, Snowden's reveals etc.

    Why? Myriad of reasons.

    Why not? Because there is virtually no financial penalty for doing so. The public 99.99% of the time doesn't change their buying choices. Don't make laugh certainly no criminal prosecutions of industrial/corporate espionage on individuals.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It gets worse. Appears people who have deleted the eDell root CA found it mysteriously reappearing upon reboot. Someone appears to have come up with a fix for that:

    I did some further research as the certificate was found on Dell Latitude 7440's as well that were deployed with Dell 7 Pro images. As other posters have stated, the certificate comes back after deleting it a short time after rebooting. So I grabbed one of the affected machines and started uninstalling each Dell app one at a time. After removing the Dell Foundation Services the cert stopped coming back "so far". One of the laptops were shipped with Dell 7 Pro downgrade from Dell and then upgraded to Windows 10 but I have another machine that wasn't upgraded to 10 which has the certificate from the 7 Pro image as well.

    Ref. - in comments - http://arstechnica.com/security/201...ships-pcs-with-self-signed-root-certificates/
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Also to clarify, this eDell root CA isn't just used for SSL server communication but for code signing as well. So appears Dell has "one upped" Levono's Superfish debacle.
     
  15. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,413
    Location:
    U.S.A.
     
  16. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    So will using a different browser besides IE mitigate the risk?
     
  17. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,935
    Location:
    UK
  18. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
  19. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,935
    Location:
    UK
  20. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This is indeed very disturbing since we are talking critical infrastructure here:

    As part of its investigation, the company's analysts scanned the Internet using a tool from Censys to see if there are systems on the Internet using eDellRoot to encrypt traffic.

    The scan would have potentially turned up spoof websites using the eDellRoot certificate in order to look legitimate. Computers with eDellCert installed would trust a website's SSL/TLS connection if navigated to using the Chrome or Internet Explorer browsers.

    The search didn't show any websites using the eDellRoot certificate that is in question now. But it did show 24 IP addresses using a self-signed certificate with a different digital fingerprint but also called eDellRoot.

    The finding, Duo Security wrote, suggests that Dell may have shipped other computers and devices with identical cryptographic keys, another major mistake.

    "This seems to be a blatant disregard for basic cryptographic security," the report said.

    One of the 24 IP addresses appears to be a SCADA (Supervisory Control and Data Acquisition) system. SCADA systems are typically viewed as critical systems, as they're used in the energy and manufacturing industries.

    The fact that a SCADA system was open to the Internet was somewhat strange since they're usually closed off from the outside. Steve Manzuik, director of research for Duo Security, said via email that it's possible the system was misconfigured.
     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,044
    Location:
    Texas
    https://isc.sans.edu/diary/Superfish 2.0: Dell Windows Systems Pre-Installed TLS Root CA/20411
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Any Dell PC shipped since August appears to be affected. Also I saw an interesting post over on the Emsisoft forum from a Dell user that that had a bunch of Policy registry keys altered. Would not be surprised if a lot of hacked Dell PCs are out there. Time will tell .....................

    Every single Dell desktop and laptop shipped since August contains a bogus root certificate, eDellRoot. Not only that, but the cert includes its own private key! It’s like Superfish all over again...

    That means more than ten million computers were infected at source, allowing attackers to spoof secure websites. And they could install infected Windows updates, because the certificate is also able to sign code.

    Ref.: http://www.computerworld.com/article/3008219/security/dell-edellroot-laptops-superfish-itbwcw.html
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Well Windows defender found a cert on mi dell yesterday after updated WD. thing is my dell desktop is 3 years old. 5000 series

    CN=DSDTestProvider, HASH:02c2d931062d7b1dc2a5c7f5f0685064081fb221

    Under one of the following registry keys:


    HKLM\Software\Microsoft\SystemCertificates\ROOT\Certificates\
    HKCU\Software\Microsoft\SystemCertificates\Root\Certificates\

    The certificates can be found in Dell PCs running the following Windows operating systems:

    • Windows 10
    • Windows 8.1
    • Windows 8
    • Windows 7
    http://www.microsoft.com/security/p...isedCert.D&threatid=224188&enterprise=0#tab=2
     
    Last edited: Nov 27, 2015
  25. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    No bad eDell certificate found, you are not vulnerable. :thumb::thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.