When users have been installing Sennheiser's HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store. To make matters worse, the software was also installing an encrypted version of the certificate's private key that was not as secure as the developers may have thought.
Similar to the Lenovo SuperFish fiasco, this certificate and its associated private key, was the same for everyone who installed the particular software. Due to this it could allow an attacker who was able to decrypt the private key to issue fraudulent certificates under other domain that they have no control over. This would allow them to perform man-in-the-middle attacks to sniff the traffic when a user visits these sites.
While these certificate files are deleted when a user uninstalls the HeadSetup software, the trusted root certificate was not removed. This would allow an attacker who had the right private key to continue to perform attacks even when the software was no longer installed on the computer.
According to a vulnerability disclosure issued today by security consulting firm Secorvo these certificates were discovered when doing a random check of a computer's Trusted Root Certificate CA store.
"Upon such a rare inspection of the Trusted Root CA store, we stumbled across two unexpected root certificates," stated Secorvo's report. "The issuer names in these two certificates indicated that they have a connection to the Sennheiser HeadSetup utility software installed on our systems in conjunction with the connected headsets of this manufacturer."
When HeadSetup is installed, it will place two certificates onto the computer. These certificates are used by the software to communicate with the headset using a TLS encrypted web socket.
The first certificate named SennComCCCert.pem is the root certificate and the SennComCCKey.pem is the private key for this certificate.
When the researchers analyzed the private key, they determined that it was encrypted with AES-128-CBC encryption and needed to find the proper password to decrypt it. As the HeadSetup program needed to decrypt the key as well, it means it must have been stored somewhere, which in this case was in a file called WBCCListener.dll.
"In order to decrypt the file we needed to know the encryption algorithm and key that the manufacturer used for encryption," the researchers explained. "Our first guess was that the vendor employed the common AES encryption algorithm with 128-bit key in CBC mode. In the HeadSetup installation directory, we found only one piece of executable code that contained the file name SennComCCKey.pem, a DLL file named WBCCListener.dll. We searched for “AES” in the strings contained in this DLL. The result is shown in Figure 4: there is indeed the algorithm identifier aes-128.cbc. We found the key that the vendor used in close proximity to that algorithm identifier, stored in clear in the code."
Once they decrypted the private key into a standard OpenSSL PEM they once again needed a passphrase to utilize it. This passphrase was located in a configuration file called WBCCServer.properties as shown below.
Now that they had access to the private key for the root certificate, they were able to generate a wild card certificate that signs traffic from google.com, sennheiser.com, and for fun, some of the headset maker's competitors - jbl.com, harmankardon.com, and bose.com.
As this certificate was created using the same private key found on any computer that installed the same version of HeadSetup, those other computers would also be vulnerable to this certificate. It could then be used by an attacker to perform a man-in-the-middle attack to read and alter the secure traffic to these sites.
While there is definitely information to be stolen from these sites, attackers could just as easily create fraudulent certificates for banks in order to steal login credentials, credit card information, or other sensitive data.
Removing the insecure root certificate
Secorvo had responsibly disclosed this vulnerability to Sennheiser in advance and was issued the unique ID ID CVE-2018-17612. They were told by Sennheiser that an updated version of the HeadSetup software would be released by the end of November. When installed, the update would remove the trusted root certificates and make sure that no certificates are left behind when the software has been removed.
In the meantime, Sennheiser has released a batch file and information that can be used to remove the certificates for those who want to be protected immediately. It is strongly suggested that all HeadSetup users download and execute this script to remove the vulnerable certificates.
Microsoft has also released the security advisory ADV180029, titled "Inadvertently Disclosed Digital Certificates Could Allow Spoofing", that explains that Microsoft has released an updated Certificate Trust List that removes trust for these certificates.
"Microsoft is publishing this advisory to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates," stated the advisory. "The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication."