Posted on: February 20, 2015 View Alerts

Systems Affected

Overview

Software which relies on Komodia Redirector with SSL Digestor introduces security risks associated with HTTPS usage. The design of this software increases the potential for HTTPS spoofing without any warnings.

Description

GNCIRT is aware of open source reporting concerning Lenovo consumer products pre-installed with Superfish VirtualDiscovery software, which introduces a vulnerability that could potentially be leveraged for malicious purposes.

Superfish is a visual search platform that was shipped pre-installed on certain Lenovo consumer laptop products between October 2014 to December 2014. The software installs a self-signed root CA (certificate authority) certificate, allowing those with the private key the ability to decrypt secure traffic. The private key is hardcoded into the software, and was made publicly available online.

For this mechanism, Superfish leverages software from Komodia Redirector with SSL Digestor. Independent research has revealed a number of other software packages which also leverage Komodia Redirector with SSL Digestor. Similar to Superfish, these other software packages also install self-signed root CA certificates on users’ computers. The private keys for these CA certificates are also hard coded, and have been proven to be easily obtainable for all affected software. This leaves users vulnerable to abuse since a malicious actor could easily spoof a trusted website using the private key, resulting in no warning in the browser.

Suggested Action

GNCIRT recommends the following steps be taken to mitigate the impact:

References