Dell’s eDellRoot certificate screw-up – what dazed admins need to know
For PC users it’s a case of here we go again. Earlier in 2015, PC giant Lenovo was infamously caught shipping Windows computers with a piece of useless adware containing a self-signed root certificate that opened a massive security hole for customers. This week, it was Dell’s turn. Crowdsourced researchers revealed that the company had suffered the same egregious weakness not once, but twice, this time inside a pair of tools used for remote support.
Lenovo’s issue was more embarrassing than Dell’s – the vulnerability was part of a program called Superfish witlessly put there to serve adverts inside browser sessions – but frankly from a security point this sort of distinction makes no odds. Embedding a self-signed SSL certificate with the private key in an application shipped to large numbers of users is asking for trouble and should not have happened. This sort of configuration would be normal for a development application, not the final software, which should have used a signed certificate in the filestore from a Certificate Authority (CA).
The problem in more detail: Dell’s Foundation Services remote support tool was discovered to have installed a self-signed root certificate identifying itself as ‘eDellRoot’. In common parlance, that offered anyone aware of the issue the possibility of extracting the certificate’s private key to create a means to impersonate any HTTPS website connection they fancied as part of a TLS man-in-the-middle compromise. This is very bad – browsers would accept this borrowed certificate as genuine and in most cases throw up no browser warning. Criminals could also sign malware to make it appear legitimate not to mention delve into encrypted data such as website logins by sniffing laptops connecting through public Wi-Fi.
The size of the risk? Potentially huge for any system lacking remediation (see below). This must be addressed urgently.
That all? Apparently a second tool, Dell System Detect (DSD), has been discovered trying the same insecure trick with a self-signed certificate called DSDTestProvider. The Dell private PKI keys used to create these certificates are now insecure.
How was it discovered? Technical users and interested researchers talking to one another on Reddit and other sites.