-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0110
        Certificate installed with Dell Foundation Services allows
                         man-in-the-middle attack
                             25 November 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Dell Foundation Services
Operating System:     Windows
Impact/Access:        Access Privileged Data         -- Remote with User Interaction
                      Provide Misleading Information -- Remote with User Interaction
Resolution:           Mitigation
Member content until: Friday, December 25 2015

Comment: AusCERT has received reports that a private key and pass-phrase have
         been publicly disclosed for a certificate shipped with Dell 
         Foundation Services.

OVERVIEW

        Dell Foundation Services software (provided on Dell PCs) since 
        August 2015 has included an eDellRoot Certificate Authority. AusCERT
        has received reports that the private key and pass-phrase for this 
        CA have been publicly released. [1]


IMPACT

        Systems with the Dell Foundation Services application installed 
        which contain the eDellRoot CA are vulnerable to potential man-in-
        the-middle attacks.
        
        This certificate can be used to sign for arbitrary domains. However,
        Commercial customers who reimaged their systems without Dell 
        Foundation Services are not affected by this issue. Additionally, 
        the certificate will be removed from all Dell systems with Dell 
        Foundation Services software installed with moving forward. 
        [2][3][4]


MITIGATION

        AusCERT recommends that you take the time to investigate how this 
        has impacted on your systems. If you locate the eDellRoot CA it 
        should be removed.
        
        This site can be used to check for the eDellRoot CA: 
        https://edell.tlsfun.de/
        
        If the eDellRoot CA is installed it can be removed by:
        
        Start -> type "certmgr.msc" -> (accept on UAC prompt) -> Trusted 
        Root Certification Authorities -> Certificates -> locate eDellRoot 
        and remove.
        
        Dell systems with Dell Foundation Services software installed will 
        remove the eDellRoot certificate starting from 24 November 2015 via
        a software update. [1]


REFERENCES

        [1] Response to Concerns Regarding eDellroot Certificate
            http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate

        [2] Superfish 2.0: Dangerous Certificate on Dell Laptops breaks
            encrypted HTTPS Connections
            https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html

        [3] Security Bug in Dell PCs Shipped Since 8/15
            http://krebsonsecurity.com/2015/11/security-bug-in-dell-pcs-shipped-since-815/

        [4] Dude, You Got Dell’d: Publishing Your Privates
            https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-privates

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVlUSEX6ZAP0PgtI9AQKFkxAAwBtMrjZHLYlgTY6MGN7dauSDt9ehXWX8
a200yn+zKCsysjtQIRdu7XNLqosK9rrbHar2+t9Jn23L+nmJRKn2RKFZHapIVJrX
cm2rxjChir9pNPHF07ODDpf/5ZpCmESBvDg7I8bqOkB3YKN7vmLEQdZO+1xXtpH4
nNZLZUg6nAGVBAUB8DmUk7KQ+5rPf+3L+X4SHauZvrfKtvFGZiRyvl+CsK8iRynP
7dydpsRtzm2iJGek5nzAlsWT4RGScd2vVdo33AI0iBlFNV59v4RCT93DvBAQH2f9
+GBt5/Q3dVbTok6X2fBtLGBX4EkObZarcWs0GS3tM/NxRzHcwNV1tmC/u8ULM0iJ
GiCCIrIGbmTl7+JXx1TZSzqS6DHRZEg9XgNtdp77od6QEEjC3ck5KF6OUiTfb8U/
134CpefrgOl1IfLPLBGy0qw+/8bMKoQMxtggHLqhV1jplo1X8QZPgqvijlhTZ5YR
diBkpivqFvlQE3PX6ngKVGZuQ6T8HeAQG8g4ir6+eeUzcCEPiN+VGeG8jyCLsPVc
dPDzG3UPGJmqHLDmv5xhPmvNhaHWgw/RJTykOPcZRP0Htb8UD7XlCNjOFT2g5ihU
1IUP064RfV9CwXJjfWPjrdiFyTQvvinb/4+qro4L/mcLPBEGhPAsb4XnBpbc3tIO
qdEwWpwUuA0=
=2HbE
-----END PGP SIGNATURE-----