The news that Dell has been bundling a Trusted Certificate Authority to customers of brand new computers has been widely reported in the last few days. If you have not yet caught up with the news, essentially a Dell CA has been bundled with software installed on a new machine, which unfortunately also contains the corresponding private key. This means that anyone who has this private key, which is available to anyone with access to a new Dell computer, can sign any certificate. This would allow a suitably positioned attacker to masquerade as trusted secure web sites, with no visible warning in the end-user's browser.
However, Cyberis has noted that this issue is not limited to new computers. Within the last few weeks, we have identified multiple customer machines having another Trusted CA installed called DSDTestProvider (Serial a44c3847f8ee7180434db180b9a7e962, Thumbprint 02c2d931062d7b1dc2a5c7f5f0685064081fb221). Again, this Trusted CA has the corresponding private key, allowing anyone in possession of this key to once again generate new "trusted" certificates. All machines identified were cleanly built from Microsoft supplied installation media, on Dell hardware. The only commonality between the affected Dell machines identified was that users had reportedly run 'Detect Product' function on the Dell support website. If you've ever used this function, or the associated 'automatically detect drivers' function, it's recommended that you check your computer's certificate stores.
Uninstallation of the tool seemingly does not remove the rogue certificate. However, visiting the Dell support website this morning (25/11/2015) and running the auto-detect function did not appear to install the certificate. However, based on our customers' reports, within the last two weeks this certificate has been unknowingly installed on their freshly built workstations, suggesting if a fix has been rolled out, it's been very recent.
Recommendations are as follows:
- Examine your workstations for any suspicious CAs, and remove if present:
- Mark the certificate(s) as untrusted via Group Policy if in a corporate environment - https://technet.microsoft.com/en-us/library/cc772491.aspx