If you recall last February, Lenovo came under significant scrutiny when it was found that SuperFish adware was preinstalled on many of its notebooks. This week, some researchers shared that Dell, the third biggest personal computer vendor according to Gartner, is also affected by the same kind of vulnerability. Some Inspiron 500 series and XPS models come preinstalled with a self-signed digital certificate called eDellRoot.
I was personally vulnerable in the Lenovo case so I decided to check my Dell setup this morning.
Detectify (see Figure 1) is providing an easy and straightforward way to check your computer by connecting on an online site at https://dellrootcheck.detectify.com/
Here is what I got:
Figure 1: Online vulnerability check
Ok, as Detectify points out, that’s bad; it appears that my laptop is vulnerable to this security issue.
When vendors pre-install software and certificates like this, they are weakening the security of our devices and exposing us to unnecessary and increased risk.
But how bad it is? And how do you remove eDellRoot?
This situaltion is different from the Lenovo case, even if the underlying issue was also about certificate usage. For Lenovo, SuperFish was an add-on software installed by default. For Dell, eDellRoot is a default secure certificate.
Why is it bad?
Because Dell is inadvertently providing the public AND the private key of this certificate (see figure 2).
Figure 2: eDellRoot comes with the private key
That means that someone can spy on you (a man-in-the-middle attack) when you think you are surfing securely using an HTTPS connection while you are doing your online shopping or bank operations. This is particularly troubling at this time of the year with Black Friday and holiday shopping just around the corner.
If you encounter such an attack, your computer or web browser will likely not provide a warning since it sees the fake certificate as legitimate. Early reports suggested that Mozilla Firefox was detecting such attacks but later research demonstrated that the certificate can also be used to sign executables regardless of the browser in use.
We foresee that some viruses will use this trick to bypass Microsoft malware checks as well as those from other AV vendors. However, keep in mind that there is no risk from this vulnerability if you aren't using an affected Dell PC with eDellRoot embedded.
The first sample was sent to VirusTotal (MD5: 055511903384f53abb0f436a6c05c730).
Another more alarming sample was shared via Tor with timestamp 2015-11-24 02:39:36. This time it's not a benign file but a Conficker virus sample.
Its MD5 is f4b806cf6100d0656a84b7cc26cc27bd. We are currently identifying and blocking it as W32/Conficker.A!worm.
Figure 3: Signed test file properties
Where is this certificate located?
You can find it in your Windows installation by running the command “certmgr.msc”, then “Trusted Root Certificate Authorities”, “Certificates” and searching for its name. Its serial number is 6b:c5:7b:95:18:93:aa:97:4b:62:4a:c0:88:fc:3b:b6
You would think that just right-clicking on it and deleting it from your trusted root certs should do the trick and get rid of it. Unfortunately, that isn't the case as the certificate will be reinstalled at the next reboot by some Dell foundation agent.
Dell was quite fast to provide a fix for this vulnerability. The only way to solve the issue is to install the urgent update available at https://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=W2V25
Fortinet is monitoring files signed by the eDellRoot certificate and will provide appropriate protection if required.
An IPS signature has been created, eDellRoot.Signed.Certificate, to detect this issue.
-= FortiGuard Lion Team =-