Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Superfish 2.0: Dell Windows Systems Pre-Installed TLS Root CA - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Superfish 2.0: Dell Windows Systems Pre-Installed TLS Root CA

Recently shipped Dell systems have been found to include a special Root CA Certificate and private key, "eDellRoot". All systems apparently use the same key and certificate. Using the "secret" key, anybody could create certificates for any domain, and Dell systems with this eDellRoot certificate would trust it. The key is part of "Dell Foundation Services".

To test if your system is affected, see: https://edell.tlsfun.de

To remove the certificate if you are affected:

- stop and disable Dell Foundation Services
- delete the eDellRoot CA (start certmgr.msc, select "Trusted Root Certification Authorities" and "Certificates". Look for eDellRoot)

For details about managing Root CAs see https://technet.microsoft.com/en-us/library/cc754841.aspx

In this case, it is not sufficient to just remove the CA. Dell Foundation Services will reinstall it. This is why you need to disable Dell Foundation Services first, or delete the Dell.Foundation.Agent.Plugins.eDell.dll.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

 Johannes

4479 Posts
ISC Handler
Nov 24th 2015
Thread locked Subscribe Nov 24th 2015
6 years ago
Do you have any more details about how the site testing for this works? I'm getting a positive test for a system that has been wiped and imaged.
 Anonymous
Quote Nov 24th 2015
6 years ago
I tried the test on Firefox, Chrome and IE 11. All 3 return that I don't have the certificate. The only exception is IE 11 asked if I wished to enable the blocked content of the website. When I click yes, I then receive message that I have the vulnerable edell certificate. It's not in the trusted certificate store in my system. I'm running an HP tower.
RBeaudry
 Anonymous
Quote Nov 24th 2015
6 years ago
Hi,
Superfish 2.0 is not finished yet - reading the German (sorry, didn't find/search for a translation) article [1].

After Downloading and Installing "Dell System Detect" you are proud owner of another root certificate with corresponding privte key


[1]
http://www.golem.de/news/https-verschluesselung-noch-ein-gefaehrliches-dell-zertifikat-1511-117615.html
 acbeko

13 Posts
Quote Nov 25th 2015
6 years ago
Hi,

What do you think about searching for concerned workstation via powershell, searching by fingerprint :
PS C:\ > Get-ChildItem -path cert:\LocalMachine\AuthRoot |findstr /I "98a04e4163357790c4a79e6d713ff0af51fe6927"


Thanks in advance !
Regards.
 Yolow

1 Posts
Quote Nov 25th 2015
6 years ago

Sign Up for Free or Log In to start participating in the conversation!