Another root certificate vulnerability has been found on at least some Dell’s Windows-powered computers. Earlier this week, the US-based computer juggernaut was caught shipping some of its recent PCs with a self-signed eDellRoot digital certificate which put its customers’ privacy and security at risk.
It turns out, eDellRoot wasn’t the only self-signed digital certificate that could allow attackers to impersonate websites and steal a user’s information. Another root certificate called DSDTestProvider has been found by researchers on some Dell systems that could potentially be abused by attackers to perform the same man-in-the-middle attacks the eDellRoot certificate allowed, allowing attackers to snoop on user data and spoof encrypted pages.
“Dell System Detect installs the DSDTestProvider certificate into the Trusted Root Certificate Store onMicrosoft Windows systems. The certificate includes the private key,” wrote researchers at Carnegie Mellon University.
“This allows attackers to create trusted certificates and perform impersonation, man-in-the-middle (MiTM), and passive decryption attacks, resulting in the exposure of sensitive information.”
Dell System Detect (DSD) is designed to interact with the Dell Support website. The researchers note that Dell systems that have been re-imaged, a popular process in which users remove all the applications that come pre-installed on the system and re-install them, are not affected. Some Dell systems don’t come with the said certificate at all – those computers are not affected either. As of now, exactly which PCs ship with the DSDTestProvider certificate is not known.
The certificate is identical to the eDellRoot, which means that an attacker could generate certificates by the DSDTestProvider CA too, and impersonate websites and other services, emails, and decrypt network traffic among other things.
On Monday, Dell acknowledged that its eDellRoot certificate is riddled with an “unintended security vulnerability.” The company also published an 11-page document with instructions on how to get rid of the said certificate. Dell is yet to acknowledge any vulnerability in the DSDTestProvider certificate.