Dell in hot water again as second 'Superfish' root certificate surfaces
Dell customers have turned up a second root certificate installed on some Dell machines, which could make them easy prey for malicious attacks on public Wi-Fi networks.
The second problematic root certificate is called DSDTestProvider. Its discovery follows yesterday's removal by Dell of the dangerous eDellroot certificate from affected Dell PCs.
With DSDTestProvider, once again a Dell support feature has inadvertently exposed customers to attacks that would be trivial to exploit. It is the same security blunder made by rival Lenovo in February with its Superfish adware.
Carnegie Mellon University CERT has warned that the DSDTestProvider certificate, which includes the private key, allows an attacker to create trusted certificates and perform impersonation, man-in-the-middle (MiTM) and passive-decryption attacks.
A classic example of a man-in-the-middle attack is a criminal in a cafe waiting for an affected Dell machine to log on to the public Wi-Fi network.
An attacker can generate certificates signed by the DSDTestProvider Certificate Authority (CA), and those certificates will be trusted by any system that trusts that CA, CERT explained.
"An attacker can impersonate websites and other services, sign software and email messages, and decrypt network traffic and other data. Common attack scenarios include impersonating a website, performing a MiTM attack to decrypt HTTPS traffic, and installing malicious software."
Dell computers are popular among enterprise users as well as consumers, making it fairly easy for hackers to select a location and have a good chance of finding high-value targets.
"If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first-class lounges and eavesdrop on everyone's encrypted communications," Robert Graham, CEO of Errata Security, wrote of the eDellRoot issue.
"I suggest 'international first class', because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking."
Dell said its investigations this week confirmed that no other root certificates are present in the factory installed PC image but admitted that the Dell System Detect application and its DSDTestProvider root certificate have similar characteristics to eDellRoot.
"In the case of Dell System Detect, the customer downloads the software proactively to interact with the Dell Support website so we can provide a better and more personalized support experience," a Dell spokesman said.
"Like eDellRoot, the support certificate in question was designed to make it faster and easier for our customers to get support."
Dell said the impact is limited to customers who used the 'detect product' functionality on its support site between October 20 and November 24, 2015.
"The application was removed from the Dell Support site immediately and a replacement application without the certificate is now available. We are proactively pushing a software update to address the issue and have also updated instructions on our site to permanently remove the certificate."
Hanno Böck, who discovered the eDellroot issue reported discovering the DSDTestProvider certificate yesterday, pointed out the DSD part of the certificate's name refers to Dell System Detect, a piece of software that runs a diagnostics test on Dell hardware to detect outdated drivers.
"There have been concerns about the security of Dell System Detect before. Malwarebytes has an article about it from April mentioning that it was vulnerable to a remote code execution vulnerability," he noted.
Laptopmag also discovered the DSDTestProvider certificate on a new Dell XPS 13, alongside the eDellRoot certificate.
Carnegie Mellon CERT advised users to visit the Windows certificate manager on the device and move the DSDTestProvider certificate from the Trusted Root Certificate Store to Untrusted Certificates.
"Revoking the certificate helps prevent reinstating trust if DSD is reinstalled," it noted.
That advice is also relevant to removing the threat posed by the eDellroot certificate, which a support service called Dell Foundation Agent reinstalled after removal.
Security researchers and Dell advised users to delete the Dell.Foundation.Agent.Plugins.eDell.dll module to prevent it from reinstalling the certificate.