Reference: CERT-EU Security Advisory 2015-750 Related Advisories -------------- 24/11/2015 [CERT-EU Security Advisory 2015-748] Dell eDellRoot certificate 25/11/2015 [CERT-EU Security Advisory 2015-749] UPDATED Dell eDellRoot certificate Short Summary -------------- Some Dell laptops and desktops come with a pre-installed self-signed root certificate under the name of eDellRoot and in some occasions have also an installed another self-signed root certificate under the name of DSDTestProvider. This is a potential security vulnerability that makes it easy for attackers to hijack Internet connections and masquerade as trusted websites. That security vulnerability compromises the security of encrypted HTTPS connections. Systems affected ----------------- Affected are only Dell users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers, this vulnerability affects Internet Explorer, Edge and Chrome. Not affected are Firefox-users as Mozilla's browser has its own certificate store. Impact ------- An attacker can exploit this vulnerability and use this root certificate to create valid certificates for arbitrary web pages. Therefore, attackers can use Man-in-the-Middle attacks against Dell laptop and desktop users to show them manipulated HTTPS web pages for harvesting their credentials or read their encrypted data. Symantec has stated [1] that they have seen malware signed with the eDellRoot certificate in VirusTotal. Description ------------ There have been reports that new models from Dell's XPS, Precision and Inspiron 7000 (laptop and desktop), Dell Orchid Touch and Dell t4034, come with pre-installed self-signed root certificates. The first certificate found, which is pre-installed in the system's certificate store under the name "eDellRoot", gets installed = by a software called Dell Foundation Services. The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection. The second root certificate found is called DSDTestProvider. It its not pre-installed, but gets installed when the user downloads Dell System Detect from Dells web site. This second certificate is installed and used by Dell System Detect (DSD), an application downloaded from the Dell website, which provides "Detect Product&q= uot; features, helping users identify their laptop make, model and other technical details. Both certificates shared the same expiration date of Nov. 9, 2031. Both certificates was self-signed and contained a private key. Any attacker can use these root certificates to create valid certificates for arbitrary web pages. Therefore attackers can use Man-in-the-Middle attacks against Dell users to show them manipulated HTTPS web pages or read their encrypted data. Also, an attacker can impersonate web sites and other services, sign software and email messages and decrypt network traffic and other data. In addition to man-in-the-middle attacks, the two certificates and their respective private keys can also allow attackers to sign code. This means that attackers can sign malware as if it was from another company, but it will look legitimate to computers with the eDellRoot or DSDTestProvider certificate authority installed. Solutions ---------- Users of Dell laptops can immediately check if they are affected with an on-line check tool that can be found at: https://edell.tlsfun.de/ Affected users should immediately remove the certificate following Dell advices at: http://www.dell.com/support/article/au/en/aubsd1/SLN300321?c=3D= au&l=3Den&s=3Dbsd&cs=3Daubsdt1 or use Dell auto remove tool: https://dellupdater.dell.com/Downl= oads/APP009/DellCertFix.exe Microsoft security tools can also detect and remove the vulnerable certificates from the certificate root store, as well as the affected binaries that might re-install the vulnerable certificate, using the following software: - Windows Defender for Windows 10 and Windows 8.1 - Microsoft Security Essentials for Windows 7 and Windows Vista - Microsoft Safety Scanner - Microsoft Windows Malicious Software Removal Tool Details can be found at: http://= www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=3DPro= gram%3aWin32%2fCompromisedCert.D&threatid=3D224188&enterprise=3D0#t= ab=3D1 Additional References ----------------------- [1] Symantec official blog http:= //www.symantec.com/connect/blogs/dell-computers-affected-edellroot-self-sig= ned-root-certificate CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383