Superfish 2.0: Dell Windows Systems Pre-Installed TLS Root CA
Recently shipped Dell systems have been found to include a special Root CA Certificate and private key, "eDellRoot". All systems apparently use the same key and certificate. Using the "secret" key, anybody could create certificates for any domain, and Dell systems with this eDellRoot certificate would trust it. The key is part of "Dell Foundation Services".
To test if your system is affected, see: https://edell.tlsfun.de
To remove the certificate if you are affected:
- stop and disable Dell Foundation Services
- delete the eDellRoot CA (start certmgr.msc, select "Trusted Root Certification Authorities" and "Certificates". Look for eDellRoot)
For details about managing Root CAs see https://technet.microsoft.com/en-us/library/cc754841.aspx
In this case, it is not sufficient to just remove the CA. Dell Foundation Services will reinstall it. This is why you need to disable Dell Foundation Services first, or delete the Dell.Foundation.Agent.Plugins.eDell.dll.
| Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Nov 24th 2015
8 years ago
RBeaudry
Anonymous
Nov 24th 2015
8 years ago
Superfish 2.0 is not finished yet - reading the German (sorry, didn't find/search for a translation) article [1].
After Downloading and Installing "Dell System Detect" you are proud owner of another root certificate with corresponding privte key
[1]
http://www.golem.de/news/https-verschluesselung-noch-ein-gefaehrliches-dell-zertifikat-1511-117615.html
Anonymous
Nov 25th 2015
8 years ago
What do you think about searching for concerned workstation via powershell, searching by fingerprint :
PS C:\ > Get-ChildItem -path cert:\LocalMachine\AuthRoot |findstr /I "98a04e4163357790c4a79e6d713ff0af51fe6927"
Thanks in advance !
Regards.
Anonymous
Nov 25th 2015
8 years ago