Security Risks Associated with Komodia Redirector with SSL Digestor - Lenovo Superfish
Date: 20 February 2015
The purpose of this alert is to bring attention to recently published security risks associated with Komodia Redirector with SSL Digestor and Superfish installed on Lenovo products.
CCIRC is aware of open source reporting concerning Lenovo products pre-installed with Superfish software, which introduces a vulnerability that could potentially be leveraged for malicious purposes.
Superfish is a visual search platform that was shipped pre-installed on certain Lenovo mobile and laptop products between October 2014 to December 2014. Superfish installs a self-signed root CA (certificate authority) certificate, allowing those with the private key the ability to decrypt secure traffic. The private key was made publicly available online.
For this mechanism, Superfish leverages software from Komodia Redirector with SSL Digestor. Further research by CCIRC revealed that other software packages leverage the functionality of Redirector with SSL Digestor. Similar to Superfish, these other software packages also install self-signed root CA certificates on users’ computers. The private keys for these CA certificates are hard coded, and have also been proven to be easily obtainable on all affected versions. This leaves users vulnerable to abuse as a malicious actor could spoof the certificate using the private key and allow malicious files to be inherently trusted when and installed.
Known software which uses Komodia Redirector with SSL Digestor include:
- Lenovo Superfish
CCIRC recommends the following mitigations and work around to affected applications accordingly:
- Verify if software that uses Komodia Redirector with SSL Digestor is installed.
- Consider uninstalling software that uses Komodia Redirector with SSL Digestor and associated root CA certificates.
- Consider removing any root CA certificates associated with the application. Note that the names of these certificates are likely to vary based on which application they were associated with.
- Superfish Vulnerability
- Superfish removal instructions:
- US-CERT Alert (TA15-051A) Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing
- Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys
- Deleting a Root Certificate for Mozilla products
- Removal Instructions for VisualDiscovery Superfish application
- Delete certificates in your windows certificate store:
- Manage Certificates in your certificate store:
- Microsoft updates Windows Defender, fries Superfish like a piece of Carp that it is
- Lenovo CTO: We're Working to Wipe Superfish App Off of PCs
- Lenovo Turns Off Superfish PC Adware Following Customer Complaints
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: