Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Microsoft Warns Of Two Apps That Installed Root Certificates Then Leaked the Private Keys (zdnet.com) 79

Catalin Cimpanu, reporting for ZDNet: Microsoft has issued a security advisory this week warning that two applications accidentally installed two root certificates on users' computers, and then leaked the private keys for all. The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.

The two applications are HeadSetup and HeadSetup Pro, both developed by German audio hardware company Sennheiser. The software is used to set up and manage softphones -- software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone. The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users' computers but also included the private keys for all in the SennComCCKey.pem file.

This discussion has been archived. No new comments can be posted.

Microsoft Warns Of Two Apps That Installed Root Certificates Then Leaked the Private Keys

Comments Filter:
  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday November 28, 2018 @10:28AM (#57714672) Homepage Journal

    I tried to follow the advisory link in TFS and was redirected to a page asking me to accept a EULA [microsoft.com]. I have to agree to a EULA before I can read a security advisory? Holy fucking shit. Tell me again how this isn't the same old evil Microsoft. Actually, it isn't; time was, you could read anything on their site even without javascript. Now you need to not only enable scripts, but agree to a contract?

    Fuck that. Die of ass cancer in a fire, Microsoft.

    • Fuck that. Die of ass cancer in a fire, Microsoft.

      Too good for them.

    • by Viol8 ( 599362 ) on Wednesday November 28, 2018 @10:34AM (#57714730) Homepage

      The 21st century MS is far more of the latter as all their decent programmers and team leads upped and left years ago.

    • Probably because of the GDPR. A lot of pages state that because of the GDPR, all people connecting have to agree to stuff (usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage) before they can access the page.

      • by mysidia ( 191772 )

        usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage

        Generally in such an online EULA there would need to be an Opt-Out option provided where users can avoid the binding arbitration to avoid claims of procedural unconscionability invalidating the no-sue arbitration and rights waivers.

        • Looks like the opt-out option is to leave the page...

          This makes me wonder if this violates the GDPR's spirit.

          • by gnasher719 ( 869701 ) on Wednesday November 28, 2018 @12:27PM (#57715428)

            Looks like the opt-out option is to leave the page...

            This makes me wonder if this violates the GDPR's spirit.

            It violates both the spirit, and the law. (According to law.stackexchange.com).

          • by mysidia ( 191772 )

            This makes me wonder if this violates the GDPR's spirit.

            Opt-Out by leaving the page is NOT GPDR compliant.

            In fact.... Opt-Out in general is non-compliant with the GPDR.

            The GPDR requires Opt-In, and the default cannot be that you Opt-In, AND
            the service cannot require you to Opt-In in order to have full use of the service.

            That's why "closing the page to opt-out" is non-compliant: If you close the page, then
            you cannot proceed to use the service, because you've left the service without having use

      • by Anonymous Coward

        The only reason to have a "click to accept" or "EULA" is because the web page owner wants to f*ck you out of the rights guaranteed by the GDPR.

        If Micro$oft really wanted to provide the information freely without trying to track the reader and sell their data to whoever wants it, they wouldn't need an EULA.

      • Probably because of the GDPR. A lot of pages state that because of the GDPR, all people connecting have to agree to stuff (usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage) before they can access the page.

        The problem of these sites is that they don't just need me to press a button, but to actually voluntarily consent. If the site only gives me the choice to either consent or not see the site, then they are in violation of the GDPR. (Source: Recent discussion on law.stackexchange.com with the relevant paragraphs of GDPR attached).

        slashdot.com is probably also in violation of GDPR, asking users again and again, so that we can safely assume that a click on "I agree" is not agreement, but clicking the wrong b

    • Oh noes an EULA for reading a security advisory. I notice you didn't have any problem accepting a EULA to make this post.

    • The underlying paper is here:
      https://www.secorvo.de/publika... [secorvo.de]

      The CVE is here:
      https://nvd.nist.gov/vuln/deta... [nist.gov]

  • by Anonymous Coward

    Sennheiser makes headphones. WTF were they installing root certificates for?

    • It's funny that it's a telephone app used to sell headsets.

      And I can totally see installing root certificates as being the most direct way to solve their problems using authentication libraries on Windows. The wrong way, but the most direct. I guess a headphone company didn't want to pay to have their certificates signed, so they became their own authority. Best way to lose money is to cut costs.

      • And instead of a security update to remove and block these compromised root certs, we get a "this is fine" from MS.
        • From the security advisory:

          As a precaution, Microsoft has updated the Certificate Trust List to remove user-mode trust for these certificates. Customers who have not installed Sennheiser HeadSetup software have no action to take to be protected. Customers who have installed Sennheiser HeadSetup software should update that software via the links above.

          They did just what you ask, via the automatic Certificate Trust list Download. If you have the CTLD process download broken in your environment you can distri

      • Classic "stay in your lane" problem. Though I would be surprised if Sennheiser even did the application development in house. Vastly more likely they either bought some of the not-quite-COTS customizable middleware stuff and had it branded or they contracted out to someone in southeast asia who pulled a, "needfully provide root cert to install drivers and sign packages".
  • by Anonymous Coward

    ...both developed by German software developer Sennheiser

    You mean Sennheiser, one of the world's largest, high-end audio hardware companies? It's the obvious lack of research on the small things that expose journalists complete misunderstanding of the big things.

  • WTF (Score:5, Insightful)

    by DarkOx ( 621550 ) on Wednesday November 28, 2018 @11:02AM (#57714858) Journal

    The entire point of 'APPS' are to sandbox stuff so the rest of the system is not compromised by a bad app. Android manages to fail in some ways with actual vulns where a evil app can send malformed messages to other apps etc. However by and large the permissions model works for single user devices.

    Serious question for MS why in the world can an app modify the system trusted roots? Why is that even possible? Seems like the sort of thing that only a first party signed tool should be permissioned to do!

    • by Tom ( 822 )

      This.

      Why does any app have the right, or the need, to install a root certificate? What is wrong with the people who allowed that to happen in the first place (MS, that means you) and what is wrong with the people who came up with, implemented and shipped that idea (that's the apps).

      And how do all those endpoint security solutions, all the three hundred 3rd party apps you need to install on a windows system to make it halfway secure all fail to catch this?

      Here is a prime example why information security is a

      • Why does any app have the right, or the need, to install a root certificate?

        Ask your browser.
        Ask the Java installer.

        I don't understand what your fuss is about. The whole point of software is to be functional and part of being functional is using APIs in the system in the way they are intended. It's not like this happens by magic, you need to elevated privileges to access this.

        • by Tom ( 822 )

          My browser includes a set of root CAs because it needs to. Online banking and all the other HTTPS stuff (i.e. some day the entire Internet) won't work properly without.

          In a perfect world, my operating system would manage the root CAs, and the browser would just use them. In reality, it's a mix of both.

          But some random app? Sorry no, it has no business messing with this.

          • because it needs to.

            Bingbingbing. You get a gold star. Now go look up what this "random" "app" actually does and things may start making far more sense to you.

            In a perfect world, my operating system would manage the root CAs

            For most browsers it does, none the less you need a way to install and uninstall certificates for specific purposes.

            • by Tom ( 822 )

              For most browsers it does, none the less you need a way to install and uninstall certificates for specific purposes.

              The keyword being "for specific purposes". That should not be system-wide.

              • What part of our connected online world where multiple applications access the same information often through a cloud (kind of like this service here) would imply that security certificates should not be system wide?

                • by Tom ( 822 )

                  Explain to me why a headphone needs to install a certificate that will change which websites my browser trusts. Yes, I understand you can make a stupid design that requires this, but your design - your responsibility. So apart from that, why should the trust that contains my online banking and health insurance be modifyable by a random hardware gadget?

                  I'm curious for any explanation that doesn't contain a variation of the phrase "because some other part of the thing that we designed relies on it". Find me a

                  • Explain to me why a headphone needs to install a certificate

                    No I won't spoon feed you. The fact that you think this is a headphone that needs to install a certificate simply shows you have taken not the slightest bit of interest in the topic at hand. You don't even know the product, it's purpose, how to manage it, or it's target market, yet somehow you feel qualified to speak about it from your position of immense ignorance.

                    Educate yourself and then maybe we can continue this discussion. Because right now it's as pointless as me telling you that you paid too much fo

      • > Why does any app have the right, or the need, to install a root certificate?

        This is addressed in the underlying paper.

        The Sennheiser HeadSetup SDK supports the use of a locally connected headset by webbased softphones in a browser, loaded from a server web site via HTTPS. According to [Senn2018], the way HeadSetup supports this application scenario is by opening a local secure web socket (WSS) through which the headset can be accessed from within the browser. According to Sennheiser, the browser must b

        • by Tom ( 822 )

          You didn't answer the question. They were lazy and cheap, that's all. It is possible to setup CORS properly. It is possible to get your certificate signed by a proper root CA. And nothing in the world forces you to use this particular method to access the device, you could have designed the setup differently.

          This answer is like saying "yeah, I gave the keys to the vault to every bank customer so they can go and take money whenever they need it. Much easier and convenient and we don't need to pay tellers."

          • It is possible to get your certificate signed by a proper root CA.

            With the utmost respect, you are incorrect. Per the CA/Browser Forum guidelines no publicly trusted CA should issue a certificate for an intranet name or IP address including both localhost and 127.0.0.1. Additionally, consider that your approach would have them use the same certificate on every machine that received the software. If that was the architectural decision then there would be no need to ship the root certificate public key t

            • by Tom ( 822 )

              Per the CA/Browser Forum guidelines no publicly trusted CA should issue a certificate for an intranet name or IP address including both localhost and 127.0.0.1.

              That is true. I stand corrected.

    • So typically in Windows - to install software you need local admin rights - once your running as admin you can modify the trusted root in the Windows Certificate Store - that's the security model.

      There are limitations though - you can't use the patch engine unless the patch is signed by Microsoft or you have the trusted publisher setup via GPO. Depending on the type of driver as well if it's not Microsoft signed you can't install it at all (short of disabling OS code signing, which you can do as admin as we

      • I would add too this is a legacy application - which isn't really sandboxed. I suspect they installed this to work-around not signing their drivers properly (there's an easier solution - just add the public key to the trusted publisher store).

        Modern apps - ie windows store apps can't modify the trusted root.

    • by Nkwe ( 604125 )

      Serious question for MS why in the world can an app modify the system trusted roots? Why is that even possible?

      An application can not modify the system trusted roots, not unless you give it root / administrative permissions. The problem is that in the Windows world many people just do everything with an administrative account. To compensate for this (always running with an administrative account), Windows has a feature called User Account Control (UAC) which is kind of like "sudo" in the Linux world. The continued problem is that most users just click through the UAC prompts and let any software that wants administr

    • The entire point of 'APPS' are to sandbox stuff so the rest of the system is not compromised by a bad app. Android manages to fail in some ways with actual vulns where a evil app can send malformed messages to other apps etc. However by and large the permissions model works for single user devices.

      The permission model works for a given purpose of a basic toy app. This isn't a basic toy app and it would be physically impossible for this "app" to work on Android without rooting the phone.

      While what you say is very true it still comes down to the basic tenant of security by reduced functionality.

      Serious question for MS why in the world can an app modify the system trusted roots?

      The "app" in particular is a management "app" for controlling and deploying headsets throughout the organisation and managing the devices they are connected to. I have a far more serious question. Why are you ta

  • Partners of MicroSoft (having a Certification Authority (CA) certificate) are allowed to pass through Windows Firewall with no notifications.
    I can't find a link for it now, as it's was posted a very long time ago.

    • by mysidia ( 191772 )

      That's not a good reason to not run Windows firewall. Its expected to be there, and you're exposing yourself to excessive and unnecessary risk if you turn it off.
      Sure.... some applications you install can potentially circumvent outgoing restrictions by adding a custom rule when you install the application,
      But the primary purpose anyway is to reduce the attack surface for unintended Incoming IP traffic by locking down a large number of ports that are wide-open otherwise.

      • by Anonymous Coward

        "That's not a good reason to run Windows. You're exposing yourself to excessive and unnecessary risk if you turn Windows on."

        FTFY

      • That's not a good reason to not run Windows firewall. Its expected to be there, and you're exposing yourself to excessive and unnecessary risk if you turn it off.

        I don't run Windows Firewall or Antivirus. I do and have run Comodo firewall for many years
        And a large HOSTS file help very much.
        Sorry to take so long to reply.

  • Yeah, they make high quality expensive audio gear. But their customer service sucks, and I wouldn't be surprised if their programmers suck for the same reason.
    A few years ago, I had a problem with a cable on one of their high end headphones, where it connected to the earcup. The cable wasn't removable, so I emailed their service department to ask about repair.
    I got a very snotty reply suggesting I buy a new set of headphones. So I did. Not Sennheiser, of course. They have plenty of competition in the high-e

  • Here's the CVE with a link to the details https://nvd.nist.gov/vuln/deta... [nist.gov]
  • I've worked in the past with Beckhoff, Siemens and many other German manufacturers who also released a lot of software. They were all, without exception, terrible. The German industry has a serious software problem.

You know you've landed gear-up when it takes full power to taxi.

Working...