Microsoft Warns Of Two Apps That Installed Root Certificates Then Leaked the Private Keys (zdnet.com) 79
Catalin Cimpanu, reporting for ZDNet: Microsoft has issued a security advisory this week warning that two applications accidentally installed two root certificates on users' computers, and then leaked the private keys for all. The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.
The two applications are HeadSetup and HeadSetup Pro, both developed by German audio hardware company Sennheiser. The software is used to set up and manage softphones -- software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone. The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users' computers but also included the private keys for all in the SennComCCKey.pem file.
The two applications are HeadSetup and HeadSetup Pro, both developed by German audio hardware company Sennheiser. The software is used to set up and manage softphones -- software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone. The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users' computers but also included the private keys for all in the SennComCCKey.pem file.
Re: (Score:3)
I feel that the NSA should be paying contractors for this valuable service instead of always getting it for free. Someone ought to sue. First we need to organize an idiot software contractor's union. (ISCU)
Re: (Score:1)
BULL. FUCKING. SHIT.
This is like management at an apartment complex telling you some idiot left the back door open for anyone to get in. Did they close the door? No, but you should be appreciative of the fact that they told you about it.
Re: (Score:2)
If only there was some company that has root on all the boxes, that could delete and/or revoke these certificates.....
I am quite sure that Apple could remove root certificates during a software update on MacOS. There is a set of root certificates that are always installed by the system, that set is totally under Apple's control. Other root certificates are stored in the keychain. Storing and modifying items in the keychain requires some password, but deleting items doesn't. I would assume other operating systems can do the same. Not sure how revoking root certificates work.
Holy shit, Microsoft is more evil than usual (Score:5, Interesting)
I tried to follow the advisory link in TFS and was redirected to a page asking me to accept a EULA [microsoft.com]. I have to agree to a EULA before I can read a security advisory? Holy fucking shit. Tell me again how this isn't the same old evil Microsoft. Actually, it isn't; time was, you could read anything on their site even without javascript. Now you need to not only enable scripts, but agree to a contract?
Fuck that. Die of ass cancer in a fire, Microsoft.
Re: (Score:1)
Fuck that. Die of ass cancer in a fire, Microsoft.
Too good for them.
Never confuse evil with stupidity (Score:5, Insightful)
The 21st century MS is far more of the latter as all their decent programmers and team leads upped and left years ago.
Re: (Score:2)
Probably because of the GDPR. A lot of pages state that because of the GDPR, all people connecting have to agree to stuff (usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage) before they can access the page.
Re: (Score:2)
usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage
Generally in such an online EULA there would need to be an Opt-Out option provided where users can avoid the binding arbitration to avoid claims of procedural unconscionability invalidating the no-sue arbitration and rights waivers.
Re: (Score:3)
Looks like the opt-out option is to leave the page...
This makes me wonder if this violates the GDPR's spirit.
Re:Holy shit, Microsoft is more evil than usual (Score:4, Informative)
Looks like the opt-out option is to leave the page...
This makes me wonder if this violates the GDPR's spirit.
It violates both the spirit, and the law. (According to law.stackexchange.com).
Re: (Score:2)
This makes me wonder if this violates the GDPR's spirit.
Opt-Out by leaving the page is NOT GPDR compliant.
In fact.... Opt-Out in general is non-compliant with the GPDR.
The GPDR requires Opt-In, and the default cannot be that you Opt-In, AND
the service cannot require you to Opt-In in order to have full use of the service.
That's why "closing the page to opt-out" is non-compliant: If you close the page, then
you cannot proceed to use the service, because you've left the service without having use
Re: (Score:1)
The only reason to have a "click to accept" or "EULA" is because the web page owner wants to f*ck you out of the rights guaranteed by the GDPR.
If Micro$oft really wanted to provide the information freely without trying to track the reader and sell their data to whoever wants it, they wouldn't need an EULA.
Re: (Score:2)
Probably because of the GDPR. A lot of pages state that because of the GDPR, all people connecting have to agree to stuff (usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage) before they can access the page.
The problem of these sites is that they don't just need me to press a button, but to actually voluntarily consent. If the site only gives me the choice to either consent or not see the site, then they are in violation of the GDPR. (Source: Recent discussion on law.stackexchange.com with the relevant paragraphs of GDPR attached).
slashdot.com is probably also in violation of GDPR, asking users again and again, so that we can safely assume that a click on "I agree" is not agreement, but clicking the wrong b
Re: (Score:2)
Oh noes an EULA for reading a security advisory. I notice you didn't have any problem accepting a EULA to make this post.
Re: (Score:2)
The underlying paper is here:
https://www.secorvo.de/publika... [secorvo.de]
The CVE is here:
https://nvd.nist.gov/vuln/deta... [nist.gov]
Re: (Score:2)
These are root CA certs. Their very specific permission is to be able to sign other certs, including intermediate CA certs, by the way.
Not saying the system is the bee's knees, but clearly you don't know the first thing about it.
Re: Terrible system. (Score:2)
I think the point GP is making is why can we not have domain-specific trusted CAs, limited I. This case to creating certificates for a limited purpose (like sennheiser.com)?
I understand the need for verisign et al to need a global wildcard CA, but sennheiser shouldnâ(TM)t, and if the system doesnâ(TM)t allow them to do what they need without having to give them a global trusted cert, then the system is broken.
Re: (Score:2)
Nevermind the key leak (Score:1)
Sennheiser makes headphones. WTF were they installing root certificates for?
Re: (Score:3)
It's funny that it's a telephone app used to sell headsets.
And I can totally see installing root certificates as being the most direct way to solve their problems using authentication libraries on Windows. The wrong way, but the most direct. I guess a headphone company didn't want to pay to have their certificates signed, so they became their own authority. Best way to lose money is to cut costs.
Re: (Score:1)
Actually, (Score:2)
From the security advisory:
They did just what you ask, via the automatic Certificate Trust list Download. If you have the CTLD process download broken in your environment you can distri
Re: (Score:2)
The common name has to be a real hostname, but you can put in IP address in as a alternative name. What reason was there to not use a host name in the first place?
Re: (Score:2)
How lazy can the reporting get? (Score:1)
You mean Sennheiser, one of the world's largest, high-end audio hardware companies? It's the obvious lack of research on the small things that expose journalists complete misunderstanding of the big things.
WTF (Score:5, Insightful)
The entire point of 'APPS' are to sandbox stuff so the rest of the system is not compromised by a bad app. Android manages to fail in some ways with actual vulns where a evil app can send malformed messages to other apps etc. However by and large the permissions model works for single user devices.
Serious question for MS why in the world can an app modify the system trusted roots? Why is that even possible? Seems like the sort of thing that only a first party signed tool should be permissioned to do!
Re: (Score:2)
This.
Why does any app have the right, or the need, to install a root certificate? What is wrong with the people who allowed that to happen in the first place (MS, that means you) and what is wrong with the people who came up with, implemented and shipped that idea (that's the apps).
And how do all those endpoint security solutions, all the three hundred 3rd party apps you need to install on a windows system to make it halfway secure all fail to catch this?
Here is a prime example why information security is a
Re: (Score:2)
Re: (Score:2)
The root CA wasn't the problem.
Yes, it was. And you explain in your next sentences why. Because we know that not every dofus can handle cryptography correctly, which is why we have a limited number of trusted root CA which we at least expect to not be complete idiots.
And that's why stupid people shouldn't handle root CAs or other dangerous materials.
Re: (Score:2)
Why does any app have the right, or the need, to install a root certificate?
Ask your browser.
Ask the Java installer.
I don't understand what your fuss is about. The whole point of software is to be functional and part of being functional is using APIs in the system in the way they are intended. It's not like this happens by magic, you need to elevated privileges to access this.
Re: (Score:2)
My browser includes a set of root CAs because it needs to. Online banking and all the other HTTPS stuff (i.e. some day the entire Internet) won't work properly without.
In a perfect world, my operating system would manage the root CAs, and the browser would just use them. In reality, it's a mix of both.
But some random app? Sorry no, it has no business messing with this.
Re: (Score:2)
because it needs to.
Bingbingbing. You get a gold star. Now go look up what this "random" "app" actually does and things may start making far more sense to you.
In a perfect world, my operating system would manage the root CAs
For most browsers it does, none the less you need a way to install and uninstall certificates for specific purposes.
Re: (Score:2)
For most browsers it does, none the less you need a way to install and uninstall certificates for specific purposes.
The keyword being "for specific purposes". That should not be system-wide.
Re: (Score:2)
What part of our connected online world where multiple applications access the same information often through a cloud (kind of like this service here) would imply that security certificates should not be system wide?
Re: (Score:2)
Explain to me why a headphone needs to install a certificate that will change which websites my browser trusts. Yes, I understand you can make a stupid design that requires this, but your design - your responsibility. So apart from that, why should the trust that contains my online banking and health insurance be modifyable by a random hardware gadget?
I'm curious for any explanation that doesn't contain a variation of the phrase "because some other part of the thing that we designed relies on it". Find me a
Re: (Score:2)
Explain to me why a headphone needs to install a certificate
No I won't spoon feed you. The fact that you think this is a headphone that needs to install a certificate simply shows you have taken not the slightest bit of interest in the topic at hand. You don't even know the product, it's purpose, how to manage it, or it's target market, yet somehow you feel qualified to speak about it from your position of immense ignorance.
Educate yourself and then maybe we can continue this discussion. Because right now it's as pointless as me telling you that you paid too much fo
Re: (Score:2)
> Why does any app have the right, or the need, to install a root certificate?
This is addressed in the underlying paper.
Re: (Score:2)
You didn't answer the question. They were lazy and cheap, that's all. It is possible to setup CORS properly. It is possible to get your certificate signed by a proper root CA. And nothing in the world forces you to use this particular method to access the device, you could have designed the setup differently.
This answer is like saying "yeah, I gave the keys to the vault to every bank customer so they can go and take money whenever they need it. Much easier and convenient and we don't need to pay tellers."
Re: (Score:2)
With the utmost respect, you are incorrect. Per the CA/Browser Forum guidelines no publicly trusted CA should issue a certificate for an intranet name or IP address including both localhost and 127.0.0.1. Additionally, consider that your approach would have them use the same certificate on every machine that received the software. If that was the architectural decision then there would be no need to ship the root certificate public key t
Re: (Score:2)
Per the CA/Browser Forum guidelines no publicly trusted CA should issue a certificate for an intranet name or IP address including both localhost and 127.0.0.1.
That is true. I stand corrected.
Re: (Score:2)
So typically in Windows - to install software you need local admin rights - once your running as admin you can modify the trusted root in the Windows Certificate Store - that's the security model.
There are limitations though - you can't use the patch engine unless the patch is signed by Microsoft or you have the trusted publisher setup via GPO. Depending on the type of driver as well if it's not Microsoft signed you can't install it at all (short of disabling OS code signing, which you can do as admin as we
Re: (Score:3)
I would add too this is a legacy application - which isn't really sandboxed. I suspect they installed this to work-around not signing their drivers properly (there's an easier solution - just add the public key to the trusted publisher store).
Modern apps - ie windows store apps can't modify the trusted root.
Re: (Score:3)
Serious question for MS why in the world can an app modify the system trusted roots? Why is that even possible?
An application can not modify the system trusted roots, not unless you give it root / administrative permissions. The problem is that in the Windows world many people just do everything with an administrative account. To compensate for this (always running with an administrative account), Windows has a feature called User Account Control (UAC) which is kind of like "sudo" in the Linux world. The continued problem is that most users just click through the UAC prompts and let any software that wants administr
Re: (Score:2)
The entire point of 'APPS' are to sandbox stuff so the rest of the system is not compromised by a bad app. Android manages to fail in some ways with actual vulns where a evil app can send malformed messages to other apps etc. However by and large the permissions model works for single user devices.
The permission model works for a given purpose of a basic toy app. This isn't a basic toy app and it would be physically impossible for this "app" to work on Android without rooting the phone.
While what you say is very true it still comes down to the basic tenant of security by reduced functionality.
Serious question for MS why in the world can an app modify the system trusted roots?
The "app" in particular is a management "app" for controlling and deploying headsets throughout the organisation and managing the devices they are connected to. I have a far more serious question. Why are you ta
Re: (Score:1)
You don't need to DERIVE the public key: It's already *public*. It's clearly listed in the "root CA" (PEM file or similar) on the target system. The problem here is that the idiots at Sennheiser *also* included the "private" key in the PEM file.
Once an attacker has the private key for the root CA, and that root CA is installed as a trusted root CA on a target system, the attacker has all the information needed to create a TLS certificate that can be used on any connection and the target system will automat
Re: (Score:2, Informative)
You need to read up on PKI.
ANYONE can create a "root CA". If they then convince some user, browser vendor or OS vendor to install that "root CA" (PEM file including the root CA public key) on their systems, then any system or intermediate certificate that is signed with the private key of the root CA will then be trusted by that system.
When some entity wants to issue a new "root CA" they create the "root CA" keys, one of which is "public" that they give away to anyone who wants to trust that "root CA" and t
This is why I don't run/use Windows Firewall. (Score:2)
Partners of MicroSoft (having a Certification Authority (CA) certificate) are allowed to pass through Windows Firewall with no notifications.
I can't find a link for it now, as it's was posted a very long time ago.
Re: (Score:2)
That's not a good reason to not run Windows firewall. Its expected to be there, and you're exposing yourself to excessive and unnecessary risk if you turn it off.
Sure.... some applications you install can potentially circumvent outgoing restrictions by adding a custom rule when you install the application,
But the primary purpose anyway is to reduce the attack surface for unintended Incoming IP traffic by locking down a large number of ports that are wide-open otherwise.
Re: (Score:1)
"That's not a good reason to run Windows. You're exposing yourself to excessive and unnecessary risk if you turn Windows on."
FTFY
Re: (Score:2)
That's not a good reason to not run Windows firewall. Its expected to be there, and you're exposing yourself to excessive and unnecessary risk if you turn it off.
I don't run Windows Firewall or Antivirus. I do and have run Comodo firewall for many years
And a large HOSTS file help very much.
Sorry to take so long to reply.
Sennheiser not my favorite company (Score:2)
Yeah, they make high quality expensive audio gear. But their customer service sucks, and I wouldn't be surprised if their programmers suck for the same reason.
A few years ago, I had a problem with a cable on one of their high end headphones, where it connected to the earcup. The cable wasn't removable, so I emailed their service department to ask about repair.
I got a very snotty reply suggesting I buy a new set of headphones. So I did. Not Sennheiser, of course. They have plenty of competition in the high-e
Here's the CVE... CVE-2018-17612 (Score:2)
German software... (Score:1)