‘Unintended Vulnerability’ on Dell Systems

Tuesday, November 24, 2015 @ 05:11 PM gHale

Desktop and laptops shipped by Dell since August 2015 contain a root CA certificate complete with the private cryptographic key, opening users to man-in-the-middle attacks.

“Dell Foundation Services installs the eDellRoot certificate into the Trusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key, which allows attackers to impersonate services and decrypt traffic,” CERT’s vulnerability note said.

Possible Backdoor on Android Devices
Unsupported ICS: Not an Easy Upgrade
Age of New and Different
German Steel Mill Attack: Inside Job

“An attacker can generate certificates signed by the eDellRoot CA. Systems that trust the eDellRoot CA will trust any certificate issued by the CA. An attacker can impersonate web sites and other services and decrypt network traffic and data.”

The existence of the certificate ended up discovered by security researcher Joe Nord, and confirmed by Dell, whose spokesman said originally the design was to make the job easier for the company’s online customer support, as it would allow them to easily identify the customers’ PC model, drivers, OS, and hard drive.

“Unfortunately, the certificate introduced an unintended security vulnerability,” Dell said. They provided instructions on how to remove it.

Users that want to remove it have to remove the eDellRoot certificate and the Dell Foundation Services component both, as the latter re-installs the certificate. Dell systems re-imaged and do not have Dell Foundation Services installed do not suffer from the issue.

The company has also promised to automatically remove the certificate from machines on November 24.

Users who want to check whether their computers suffer from the issue can click here, which checks for existence of the certificate.

Duo Security researchers also looked into the problem, and apparently found another “certificate mishap” on their Dell machine — an Atheros signing certificate shipped with the Bluetooth software (and used to sign four of the Bluetooth drives shipped with the install).

“Thankfully, this certificate expired on 3/31/2013 making it less prone to potential abuse. However, it appears that this certificate was in circulation while it was still valid (at least 11 days from what we can tell),” the researchers said.