Vulnerability Note VU#870761
Dell Foundation Services installs root certificate and private key (eDellRoot)
Original Release date: 24 Nov 2015 | Last revised: 01 Dec 2015

Overview
Dell Foundation Services installs the eDellRoot certificate into theTrusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key. This allows attackers to create trusted certificates and perform impersonation, man-in-the-middle (MiTM), and passive decryption attacks, resulting in the exposure of sensitive information.

Description
Dell Foundation Services (DFS) is a remote support component that is pre-installed on some Dell systems. DFS installs a trusted root certificate (eDellRoot) that includes the private key. This certificate was first installed in August 2015.
Dell systems that have been re-imaged or do not otherwise have DFS installed are not affected. ZMap has provided a page to test for this vulnerability: https://zmap.io/dell/

Impact
An attacker can generate certificates signed by the eDellRoot CA. Systems that trusts the eDellRoot CA will trust any certificate issued by the CA. An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data. Common attack scenarios include impersonating a web site, performing a MiTM attack to decrypt HTTPS traffic, and installing malicious software.

Solution
Mark eDellRoot certificate as untrusted

Mark the eDellRoot certificate as untrusted. Using the Windows certificate manager (certmgr.msc), move the eDellRoot certificate from the Trusted Root Certificate Store to Untrusted Certificates. Marking the certificate as untrusted helps prevent reinstating trust if DFS is reinstalled or DFS reinstalls the certificate.

Remove eDellRoot certificate

Dell has issued guidance to remove the eDellRoot certificate in this blog post. It is important to both remove the eDellRoot certificate and the DFS component that re-installs the certificate. Dell has also provided a removal tool.

Administrators can Configure Trusted Roots and Disallowed Certificates for managed systems.

Update Certified Trust List

Microsoft Security Advisory 3119884 documents updates to the Certified Trust List (CTL) to mark the eDellRoot certificate as untrusted. Most Windows systems will automatically receive the updated CTL.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedDellAffected24 Nov 201525 Nov 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
9.4
AV:N/AC:L/Au:N/C:C/I:C/A:N

Temporal
8.2
E:H/RL:OF/RC:C

Environmental
6.5
CDP:ND/TD:M/CR:H/IR:H/AR:ND

References

http://www.dell.com/support/article/us/en/19/SLN300321
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertRemovalInstructions.docx
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe
http://joenord.blogspot.in/2015/11/new-dell-computer-comes-with-edellroot.html
https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html
https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-privates

Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish from technology


http://huagati.blogspot.com/2015/07/do-you-know-which-cas-can-issue-ssltls.html
https://technet.microsoft.com/en-us/library/dn265983.aspx
https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
https://technet.microsoft.com/en-us/library/security/3119884.aspx

Credit

Dell credits Hanno Böck, Joe Nord and Kevin Hicks (rotorcowboy).
This document was written by Art Manion.

Other Information

CVE IDs:
Unknown

Date Public:
23 Nov 2015

Date First Published:
24 Nov 2015

Date Last Updated:
01 Dec 2015

Document Revision:
45

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply