[ad_1]
Microsoft today released a security advisory warning that two applications had accidentally installed two root certificates on users' computers and then allowed private keys to filter.
The software developer's error means that malicious third parties can extract the private keys from both applications and use them to issue fake certificates in order to spoof legitimate websites and software publishers for years to come .
HeadSetup and HeadSetup Pro are the two applications developed by the German software developer Sennheiser. The software is used to configure and manage soft phones – software applications for making phone calls over the Internet and a computer, without the need for a real physical phone.
The problem with both HeadSetup applications was unearthed earlier this year when the German security firm Secorvo discovered that versions 7.3, 7.4, and 8.0 were installing two root CA certificates in the root certificate store Windows users' computers, but also included private keys for all in the SennComCCKey.pem file.
In a report released today, Secorvo researchers have released a technical validation code demonstrating how trivial it would be for an attacker to analyze the installation programs of both applications and to determine whether or not it is safe to use it. extract the private keys.
Worse, the certificates are also installed for Mac users, via the MacOS HeadSetup application versions, and they are not removed from the operating system's trusted root certificate store during updates or updates. HeadSetup uninstall operations.
In the words of the researchers, "every system on which HeadSetup […] has been installed anytime in the past […] remains vulnerable "until users manually check the Trusted Root Certificate Store and remove both certificates, or until the certificates expire – which could be January 13, 2027 or the 27th July 2037, respectively.
Sennheiser, the software provider behind the snafu, acknowledged his mistake and removed both apps from the download section of his website while preparing for an update whose release is scheduled this week.
The company said that this HeadSetup solution will look for and remove root certificates from affected systems, and replace them with new certificates that do not lose their respective private keys.
Customers who have installed the Sennheiser HeadSetup software must update their applications as updates become available. Users who have not installed the Sennheiser HeadSetup software have nothing to do, they remain vulnerable to attack.
In the meantime, Microsoft has updated the company's trusted certificate list to remove user mode trust in all three certificates. This means that websites or software signed with falsified certificates generated using the three root certificates involved trigger an error for Windows users.
Users or system administrators who can not afford to wait until Sennheiser publishes a HeadSetup update that removes the offending certificates can see the Secorvo Report, section 7.2 for manual removal of certificates from the certificate store. Windows trust root. Sennheiser has also released guides on removing three certificates for Windows and macOS users.
Sennheiser's snafu, followed by CVE-2018-17612, is not the first of its kind. In 2015, Lenovo shipped laptops with a certificate exposing its private key in a scandal known as Superfish. Dell did exactly the same thing in 2016 during a similar security incident, known as eDellRoot.
Security Coverage:
Source link