Second Root Cert-Private Key Pair Found On Dell Computer

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

Unavoidable

[edtice1559]

I feel bad for those who switched from Lenovo to Dell after the SuperFish fiasco.

Re:Unavoidable

[gcnaddict]

Um, they have legal possession or authorization over them? Could be computers owned by clients, by themselves, by consenting families of employees...

The CFAA allows for this.

Re:Unavoidable

[fuzzyfuzzyfungus]

The only consolation is that 'superfish' was clear evil, executed with some degree of effectiveness; while the current Dell thing appears to be unbelievable failure at even the concepts behind safe certificate handling; but without an overt evil objective.

It is, at least, possible, that stupid will be cured by enough 3rd party testing; but evil is harder to expunge.

That said, the level of stupid on display here(especially for a company that is supposed to know how to, say, sign and deploy device drivers; and run a website with a secure order form) is pretty terrifying. Bugs are bad; but at least some of them are subtle. Adding a trusted root cert with an easily extractable private key to a huge number of customer systems isn't a 'bug', it's insanity.

Re:Unavoidable

[fuzzyfuzzyfungus]

I'm sure that some don't end up in handcuffs simply because the backlog of unpunished actual-bad-guys is so long that nobody even thinks about going after the white and grey hats, unless they embarrass the wrong person or company.

It's also possible, though, that they managed it by perfectly licit means: millions of people pay to have AV companies grovel over their files and send some amount of data back to the mothership; and since certificate problems will affect the behavior of any program that uses the OS-provided certificate store(which is most of them, Firefox being the major exception); anyone with access to a decent slice of web traffic can probably infer the presence or absence of a given certificate on every IE and Chrome user who passes through.

Re:Unavoidable

It's completely avoidable. Do your homework on a new laptop (manufacturer doesn't matter.) Make sure it has good Linux compatibility. Buy it and install your favorite distro. I've been doing this for the past 10 years. It's great because you benefit from the lower price (thanks to all the shovelware) without having to actually live with the shovelware.

Wait, they shipped the private key?

[mi]

private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop

So, the happy owners of the affected laptops can now issue certificates and/or sign drivers, which will be accepted as genuine by other owners of Dell hardware?

Seriously? If so, that's just too dumb to be malicious...

Re:Wait, they shipped the private key?

[gstoddart]

Seriously? If so, that's just too dumb to be malicious...

Companies are so bad about security these days that I refuse to differentiate between stupidity and malice.

If they do it to sell ads, or they do it to make support easy but don't have proper security people review it ... I don't see much difference.

Re:Wait, they shipped the private key?

The term you're looking for is "criminally negligent".

Using Firefox Meantime

[retroworks]

My new XPS 15 9050 had just arrived and I tested it and found it vulnerable, now looking forward to implementing the fix over the holiday. In the meantime, the fact that Firefox protected the machine on the test websites (and Chrome and Explorer did not) caused me to swap to Firefox on all my other machines, just cause I appreciate they had my back.

Re:Using Firefox Meantime

[DarkOx]

You need to wait for the holiday to delete a certificate out of your trusted roots on your personal machine? Wow.

Secondly Firefox did not protect you from anything, the fact they don't share the system cert store did. Yeah it worked out this time to your favor but I honestly don't think Mozilla's failure to integrate with system certificate stores is a win in general. Its actually one of the biggest reasons I think about leaving my beloved SeaMonkey for something else.

For one thing you now have not one but 2 certificate stores you need to audit. That sucks! If a CA says they have been compromised I have to remember to fix it in 2 place instead of one. That isn't a security win. Many users don't probably even realize they don't use the system trusts, so if they get instructions to fix an issue by removing a CA they will likely fail to fix the Mozilla based browser.

Second in managed environments revoking a trust in Mozilla isn't easy to script out, that means Firefox and SeaMonkey installs likely just don't get fixed, again not a security win.

Frankly I think its rather a shame Mozilla does not provide at least the option to use the system trusteded roots.

Re:Using Firefox Meantime

[quetwo]

It's not that they have your back -- it's that they use their own certificate chain of trust that doesn't rely on the OS. It's baked into the source code, and can't be updated unless you upgrade versions (also, if one gets blacklisted, you don't notice it either).

Steps

Step 0: Don't buy any equipment from a manufacturer that supports Microsoft Windows Platform Binary Table (WPBT).

Step 1: Wipe any pre-existing OS on your equipment.

Step 2: Stop buying anything from vendors (Lenovo, now Dell) who are proven to do this shit.

Re:Dell is for cows.

Gateway is for cows, cretin.

A word document?

[jlv]

Why were the removal instructions provided as a word document? They couldn't just have a simple web page with pictures?

Re:A word document?

[trawg]

Their official blog post actually has a PDF link - not sure if they've updated it since releasing the (weird) DOCX file, or if the DOCX came from another source.

Re:A word document?

[ThatsNotPudding]

Why were the removal instructions provided as a word document? They couldn't just have a simple web page with pictures?

They couldn't get the Flash exploits to work in time.

Sadly Microsoft encouraged this.

[Lumpy]

WE don't get clean reinstall DVD's, Microsoft allows the builder to put whatever crap they want on the computer. Honestly it's all microsoft's fault.

Go back to shipping a MICROSOFT PRESSED installation DVD with the machine as a requirement and the install must be done from a clean image no extra crap is allowed to be installed on the machine. yes that means they have to use decent chipsets instead of the crap-tastic stuff like Marvell and other really low end china dog food devices.