Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Second Root Certificate, Tracking Issue Found on Dell PCs

After news broke that Dell desktop and laptop computers include a self-signed root certificate that can be exploited for man-in-the-middle (MitM) attacks, experts found a second such certificate, along with a security issue that can be leveraged to track users.

After news broke that Dell desktop and laptop computers include a self-signed root certificate that can be exploited for man-in-the-middle (MitM) attacks, experts found a second such certificate, along with a security issue that can be leveraged to track users.

Experts discovered last week that Dell commercial and consumer systems running an application called Dell Foundation Services included a root certificate, eDellRoot, and its private key. An MitM attacker could have exploited this weakness to intercept HTTPS communications and steal sensitive data or serve malware to the victim.

Dell said it had been shipping the root certificate with Dell Foundation Services updates since August. The certificate was used to allow online support staff to identify the computer model when helping customers.

After security experts raised the alarm, Dell provided instructions on how to remove eDellRoot and started pushing out new updates designed to delete the certificate.

The incident reminded many of the Lenovo Superfish adware discovered earlier this year. Ironically, Dell has been using the Superfish story to advertise its laptops, claiming that all preinstalled software undergoes security and privacy testing.

It turns out that there is a second certificate on Dell devices that can be exploited by MitM attackers. According to researchers, Dell System Detect, a support app preloaded on many PCs, installs a root certificate named DSDTestProvider into the Trusted Root Certification Authorities store in Windows.

This certificate also includes the private key, which means malicious actors could generate rogue certificates and use them to impersonate websites, sign software, and decrypt network traffic, CERT/CC said in an advisory. Dell says it’s currently investigating the issue of the DSDTestProvider certificate.

This is not the first time experts have found a security issue related to Dell System Detect. Earlier this year, researcher Tom Forbes reported that older versions of the application were vulnerable to remote code execution attacks, which led to Malwarebytes classifying the tool as a potentially unwanted program (PUP).

On Monday, a researcher reported finding another privacy issue related to Dell Foundation Services. The expert, known online as “Slipstream,” discovered that any website can obtain a device’s service tag, which Dell uses to obtain information on a product’s technical specifications and warranty.

A proof-of-concept site set up by Slipstream shows how easily websites can track Dell Foundation Services users. The information obtained from the service tag can be used by malicious actors to trick victims into thinking they are Dell support technicians, F-Secure’s Mikko Hypponen told Motherboard.

Cloud-based access security provider Duo Security has also identified a certificate-related issue. Experts found that an attacker could have obtained a code signing certificate shipped by Dell with its Bluetooth management software. The certificate expired in 2013, but Duo says there was a period of at least 11 days when the certificate could have been abused.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.