Meet eDellRoot, The Rogue Certificate

Say hello to eDellRoot, the next major vulnerability to hit the enterprise information technology and security landscape. Dell, being one of the world’s largest computer manufacturers, has reported a vulnerability concerning a Self-Signed root certificate that is breaking HTTPS. It was recently discovered that some new and existing Dell computers come with a CA certificate, or ‘eDellRoot’.

If you can recall, just six months’ prior, Lenovo experienced a similar issue with the well-known catastrophe of Superfish. Superfish was a piece of software installed by Lenovo which installed it’s own SSL root certificate on affected computers. eDellRoot is a comparable case, where Dell has been found shipping out laptops pre-installed with the eDellRoot certificate issued by Dell. The complete scope of the impacted systems has not yet been determined, however, this pre-installed root certificate resides on newer Dell laptops and desktops.

The remote support component Dell Foundation Services (DFS) has been pre-installed on the newer models of Dell systems. The DFS installs the eDellRoot certificate into the Trusted Root Certificate Store on Microsoft Windows systems. Although the key is flagged as “non-exportable” this is merely a function of the operating system, the private key may be retrieved.

The most critical issue to note is that all eDellRoot certificates are installed with the same private key, making it easily accessible for attackers to find and manipulate. Any attacker that have access to a single copy of the eDellRoot certificate, fundamentally have the ability to perform a trusted man-in-the-middle attack against any system with the certificate installed. This leaves end users with affected systems in a position where they may trust a fraudulently signed TLS certificate. Attacks that leverage this vulnerability include but are not limited to impersonating secure websites or services, the ability to sign a number of email messages, signing software (including malware) with any publisher name, and the ability to decrypt HTTPS traffic while in transit.

The good news is that there is an easy way to test to see if your laptop is affected here. You will also be able to see the certificate in your operating system’s root store. Dell’s management software will re-install the certificate if you manually remove the certificate upon system reboot. To remove the certificate permenantly you should use the tool on the dell website, found here.

For Managed Services customers, our team will continue to engage with the technical contacts for each of the respective organizations to provide direct information regarding patches, escalations, and reports depending on our service agreements. If you have questions or concerns, please contact your Secure Sense account representative directly or call Secure Sense at 866-999-7506.

Please connect with Secure Sense on LinkedIn and follow us on Twitter @Securesense for current company and industry news.