Security Risks Associated with Komodia Redirector with SSL Digestor - Lenovo Superfish

Number: AL15-002
Date: 20 February 2015

Purpose

The purpose of this alert is to bring attention to recently published security risks associated with Komodia Redirector with SSL Digestor and Superfish installed on Lenovo products.

Assessment

CCIRC is aware of open source reporting concerning Lenovo products pre-installed with Superfish software, which introduces a vulnerability that could potentially be leveraged for malicious purposes.

Superfish is a visual search platform that was shipped pre-installed on certain Lenovo mobile and laptop products between October 2014 to December 2014.  Superfish installs a self-signed root CA (certificate authority) certificate, allowing those with the private key the ability to decrypt secure traffic.  The private key was made publicly available online.

For this mechanism, Superfish leverages software from Komodia Redirector with SSL Digestor. Further research by CCIRC revealed that other software packages leverage the functionality of Redirector with SSL Digestor. Similar to Superfish, these other software packages also install self-signed root CA certificates on users’ computers. The private keys for these CA certificates are hard coded, and have also been proven to be easily obtainable on all affected versions.  This leaves users vulnerable to abuse as a malicious actor could spoof the certificate using the private key and allow malicious files to be inherently trusted when and installed.

Known software which uses Komodia Redirector with SSL Digestor include:

Suggested Action

CCIRC recommends the following mitigations and work around to affected applications accordingly:

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: