Vulnerability Note VU#529496
Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys
Original Release date: 19 Feb 2015 | Last revised: 17 Mar 2015

Overview
Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing

Description
Komodia Redirector SDK is a self-described "interception engine" designed to enable developers to integrate proxy services and web traffic modification (such as ad injection) into their applications. With the SSL Digestor module, HTTPS traffic can also be manipulated. This is accomplished by installing a root CA certificate into browser trusted certificate stores, enabling the proxy to effectively man-in-the-middle all web traffic without raising any flags for the end-user.
In multiple applications implementing Komodia’s libraries, such as Superfish Visual Discovery and KeepMyFamilySecure, the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys. Note that these keys appear to be distinct per application, though the same methods have proven successful in revealing the private keys in each instance.

In addition to sharing root CA certificates across installation, it has been reported that the SSL validation that Komodia itself performs is broken. This vulnerability can allow an attacker to universally attack all installations of Komodia Redirector, rather than needing to focus on a single application / certificate.

Users should be aware that uninstalling affected applications is not sufficient to remove the security risk since the root certificates are not removed in the process. Lenovo, whose consumer-grade systems come bundled with the software, have provided instructions and an automated removal tool. A list of potentially affected Lenovo systems is available here.

Users can verify whether their systems contain Superfish and other Komodia root certificates by visiting this site.

Impact
An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Solution
Apply an update

Komodia has updated their vulnerable libraries. Developers who use the Komodia libraries should update their applications.

Users should check vendor websites for updates to affected software and apply them immediately. Given the severity of the issue, users who are unsure that an update addresses the vulnerability are strongly encouraged to consider the following workaround.
Uninstall software using Komodia Redirector SDK and associated root CA certificates

Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. Refer to the Vendor Information section below for an updated list of known affected vendors.

After uninstalling an offending application, it is also necessary to independently remove compromised root CA certificates. Note that the names of these certificates are likely to vary based on the originating application. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store.

Mozilla provides similar guidance for their software, including the Firefox and Thunderbird certificate stores.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedAtom Security, IncAffected20 Feb 201523 Feb 2015
DyKnowAffected17 Mar 201517 Mar 2015
InfoweiseAffected22 Feb 201522 Feb 2015
KeepMyFamilySecureAffected19 Feb 201523 Feb 2015
KomodiaAffected19 Feb 201502 Mar 2015
KurupiraAffected-20 Feb 2015
LavasoftAffected20 Feb 201525 Feb 2015
LenovoAffected19 Feb 201523 Feb 2015
QustodioAffected19 Feb 201526 Feb 2015
SuperfishAffected19 Feb 201523 Feb 2015
UtilTool LtdAffected02 Mar 201502 Mar 2015
Websecure LtdAffected20 Feb 201526 Feb 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
8.5
AV:N/AC:L/Au:N/C:C/I:P/A:N

Temporal
8.1
E:H/RL:W/RC:C

Environmental
8.6
CDP:LM/TD:H/CR:ND/IR:ND/AR:ND

References

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

Ad injection SDK


https://filippo.io/Badfish/
https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/
http://news.lenovo.com/article_display.cfm?article_id=1929
https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/m-p/1863174#M79882
https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Superfish-application/ta-p/2029206
http://news.lenovo.com/article_display.cfm?article_id=1929&cid=ww:social:147924660:147924659:TWITTER:lenovo:*%20Customer%20Service%20and%20Support&linkId=12450493
http://www.komodia.com/wiki/index.php/Komodia%27s_Redirector
http://www.komodia.com/wiki/index.php/SSL_Digestor
http://www.keepmyfamilysecure.com/about/
http://www.komodia.com/wiki/index.php/Komodia%27s_Redirector#When_do_I_need_the_SSL_Digestor.3F
Lenovo installs adware on customer laptops and compromises ALL SSL.

Posted by Protect the Graph on Friday, February 20, 2015

http://support.lenovo.com/us/en/product_security/superfish_uninstall

Security notice

Credit

The CERT/CC wishes to thank the following for their contributions to this report:

Marc Rogers, https://twitter.com/marcwrogers
Rob Graham, https://twitter.com/erratarob
Twitter user TheWack0lian https://twitter.com/TheWack0lian
Chris Palmer, https://twitter.com/fugueish
Filippo Valsorda, https://twitter.com/FiloSottile
This document was produced as a collaborative effort of the CERT/CC Vulnerability Analysis team.

Other Information

CVE IDs:
Unknown

US-CERT Alert:
TA15-051A

Date Public:
19 Feb 2015

Date First Published:
19 Feb 2015

Date Last Updated:
17 Mar 2015

Document Revision:
129

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply