All desktop and laptops shipped by Dell since August 2015 contain a root CA certificate (eDellRoot) complete with the private cryptographic key for it, opening users to the danger of Man-in-the-Middle and signed malware attacks.
“Dell Foundation Services installs the eDellRoot certificate into theTrusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key, which allows attackers to impersonate services and decrypt traffic,” CERT’s vulnerability note explains.
“An attacker can generate certificates signed by the eDellRoot CA. Systems that trusts the eDellRoot CA will trust any certificate issued by the CA. An attacker can impersonate web sites and other services and decrypt network traffic and data.”
“Since it appears the private key shipped with the certificate authority (CA), anyone can create fake SSL certifications. They would look completely legitimate since they are signed by the eDellRoot CA,” commented Andrew Lewman, VP of Data Development at Norse.
“There are already fake Google certs out there signed by the eDellRoot CA. This could mean when logging into a bank, secure legal portal, Gmail, etc., that a criminal can easily grab the username and password entered into the desktop or laptop browser and see all of the traffic between the browser and the server.”
The existence of the certificate was flagged by security researcher Joe Nord, and has been confirmed by Dell, whose spokesman said it was meant to make the job easier for the company’s online customer support, as it would allow them to easily identify the customers’ PC model, drivers, OS, hard drive and so on.
“Unfortunately, the certificate introduced an unintended security vulnerability,” they admitted, and provided instructions on how to remove it.
In short, users who want to remove it have to remove the eDellRoot certificate and the Dell Foundation Services component both, as the latter re-installs the certificate. Dell systems that have been re-imaged and do not have Dell Foundation Services installed are not affected.
The company has also promised to automatically remove the certificate from machines on November 24.
Users who want to check whether their computers are affected can visit this page, which checks for existence of the certificate.
Dell also credited freelance journalist Hanno Böck and Kevin Hicks for the discovery of the vulnerability.
Duo Security researchers also delved into the problem, and apparently found another “certificate mishap” on their Dell machine – an Atheros signing certificate shipped with the Bluetooth software (and used to sign four of the Bluetooth drives shipped with the install).
“Thankfully, this certificate expired on 3/31/2013 making it less prone to potential abuse. However, it appears that this certificate was in circulation while it was still valid (at least 11 days from what we can tell),” they pointed out.
It seems that Dell hasn’t learned much from the Lenovo’s Superfish blunder revealed earlier this year.