by Martin Brinkmann on November 28, 2018 in Security – No comments
Microsoft published a security advisory today under ADV180029 — Inadvertently Disclosed Digital Certificates Could Allow Spoofing — that warns users and administrators about two Sennheiser software programs that may have introduced vulnerabilities on Windows devices they were installed on.
The two Sennheiser products HeadSetup and HeadSetup Pro installed root certificates on systems they were installed on. Users, who had to run the installer with elevated privileges because of that, were not informed about that.
Older versions of the application placed the private key and the certificate in the installation folder which in itself is not a good practice. Sennheiser used the same private key for all software installations of Sennheiser HeadSetup 7.3 or older.
Anyone, who installed the software on a computer system or got hold of the private key, could potentially abuse it because of that. An attacker could issue certificates on the system the software is installed on.
The certificate is self-signed, marked as a CA certificate and valid until January 13, 2027 when installed. The installer “pushes the certificate into the local machine trusted root certificate store of the Windows system on which it is installed”.
Updates of the application or removal of the HeadSetup software on a system version 7.3 or earlier were installed on won’t remove the certificate. Systems the software was installed on at a point in time remain vulnerable therefore even if the software is no longer installed on these systems.
German security company Secorvo Security Consulting GMHB published a vulnerability report that provides additional details.
Secorvo describes several attack scenarios in the report:
- Read and modify the complete session of the victim with any seemingly secure HTTPS
web server - Send the victim malicious software or provide with a download link to malicious
software seemingly coming from an arbitrary well-known software publisher
Sennheiser changed the installation system in newer versions of Sennheiser HeadSetup. Attackers can’t create valid certificates anymore directly as Sennheiser kept these secret this time.
The researchers could not find any published information about the “policies according to which the SeenComRootCA operates” and consider the “risk that an attacker might fraudulently obtain a certificate significantly higher [..] than for other pre-installed Root CAs or their respective Sub CAs”.
Sennheiser has not published an update at the time of writing that resolves the issue but removed downloads of existing setup versions of the application. Microsoft, however, removed the certificates from its Certificate Trust List.
You can track the issue under CVE-2018-17612.
Mitigation
Administrators may remove the certificates in the following way:
- Open an elevated command prompt window.
- Select Start.
- Type cmd.
- Right-click on the result and select “run as administrator” from the context menu.
- Run the following commands on the command line:
- certutil -delstore root “127.0.0.1”
- certutil -delstore root “SennComRootCA”
Note: if you need the web-based functionality, remove only the first certificate and wait for an update of the software application.
Active Directory administrators may place the certificates into the Untrusted Certificates store; this is found under PoliciesWindows SettingsSecurity SettingsPublic Key Policies
Untrusted Certificates.