Microsoft has issued a security advisory today warning that two applications accidentally installed two root certificates on users’ computers, and then leaked the private keys for all.

The software developer’s mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.

The two applications are HeadSetup and HeadSetup Pro, both developed by German software developer Sennheiser. The software is used to set up and manage softphones –software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone.

The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users’ computers but also included the private keys for all in the SennComCCKey.pem file.

In a report published today, Secorvo researchers published proof-of-concept code showing how trivial would be for an attacker to analyze the installers for both apps and extract the private keys.

Making matters worse, the certificates are also installed for Mac users, via HeadSetup macOS app versions, and they aren’t removed from the operating system’s Trusted Root Certificate Store during current HeadSetup updates or uninstall operations.

In researchers’ own words “every system on which HeadSetup […] was installed at any time in the past […] remains vulnerable” until users manually review the Trusted Root Certificate Store and remove the two certificates, or until the certificates expire –which could be January 13, 2027, or July 27, 2037, respectively.

Sennheiser, the software vendor behind the snafu, has admitted its mistake and removed the two apps from its website’s download section while they’re working on an update that’s scheduled for release later this week.

The company says this HeadSetup will search and remove the root certificates from affected systems, and replace them with new ones that don’t leak their respective private keys.

Customers who have installed Sennheiser HeadSetup software should update their apps when the updates become available. Users who have not installed Sennheiser HeadSetup software don’t have to take any action, but they’re still vulnerable to attacks.

In the meantime, Microsoft has updated the company’s Certificate Trust List (CTL) to remove user-mode trust in the three certificates. This means that websites or software signed with forged certificates generated using the three offending root certificates will trigger an error for Windows users.

Users or system administrators who can’t afford to wait until Sennheiser releases a HeadSetup update that removes the offending certificates can check the Secorvo report, section 7.2, for instructions on how to manually remove the certificates from the Windows Trusted Root Certificate Store. Sennheiser has also published guides on removing the three certificates for Windows and macOS users.

Sennheiser’s snafu, tracked as CVE-2018-17612, is not the first of its kind. In 2015, Lenovo shipped laptops with a certificate that exposed its private key in a scandal that became known as Superfish. Dell did the exact same thing in 2016 in a similarly bad security incident that became known as eDellRoot.


10 Comments

tinyurl.com · November 23, 2019 at 10:47 pm

I know this if off topic but I’m looking into
starting my own blog and was wondering what
all is needed to get set up? I’m assuming having a blog
like yours would cost a pretty penny? I’m not very internet savvy so I’m not 100% sure.
Any suggestions or advice would be greatly appreciated.
Thank you

tinyurl.com · November 24, 2019 at 10:19 am

Greetings! Very useful advice in this particular article!

It’s the little changes which will make the most significant changes.
Thanks for sharing!

tinyurl.com · November 24, 2019 at 10:26 am

It’s amazing to visit this site and reading the views of all colleagues concerning this post, while I am also keen of getting know-how.

plenty of fish dating site · November 26, 2019 at 4:58 pm

What’s up friends, pleasant paragraph and
fastidious urging commented here, I am really enjoying by these.

ps4 games · November 28, 2019 at 8:01 pm

It’s very effortless to find out any matter on net as compared
to books, as I found this article at this web site.

ps4 games · November 29, 2019 at 5:29 am

Hi, i read your blog occasionally and i own a similar
one and i was just curious if you get a lot of spam comments?

If so how do you stop it, any plugin or anything you can suggest?
I get so much lately it’s driving me mad so any assistance is very
much appreciated.

quest bars cheap · December 1, 2019 at 10:08 am

Pretty! This was a really wonderful post. Thanks for supplying this info.

quest bars cheap · December 2, 2019 at 5:29 am

This is my first time go to see at here and i am in fact happy to read
all at alone place.

quest bars cheap coupon twitter · December 3, 2019 at 5:54 am

Hey there! Do you use Twitter? I’d like to follow you if
that would be okay. I’m undoubtedly enjoying your blog and look forward to new posts.

ps4 games · December 4, 2019 at 9:08 pm

Awesome blog! Do you have any suggestions for aspiring writers?
I’m planning to start my own site soon but
I’m a little lost on everything. Would you suggest starting with a
free platform like WordPress or go for a paid option? There are so many choices out there that I’m totally overwhelmed
.. Any ideas? Many thanks!

Leave a Reply

Your email address will not be published.

error: Content is protected !!!