Microsoft Security Advisory Adv180029 for Sennheiser software - gHacks Tech News

Microsoft Security Advisory Adv180029 for Sennheiser software

Microsoft published a security advisory today under ADV180029  -- Inadvertently Disclosed Digital Certificates Could Allow Spoofing -- that warns users and administrators about two Sennheiser software programs that may have introduced vulnerabilities on Windows devices they were installed on.

The two Sennheiser products HeadSetup and HeadSetup Pro installed root certificates on systems they were installed on. Users, who had to run the installer with elevated privileges because of that, were not informed about that.

Older versions of the application placed the private key and the certificate in the installation folder which in itself is not a good practice. Sennheiser used the same private key for all software installations of Sennheiser HeadSetup 7.3 or older.

Anyone, who installed the software on a computer system or got hold of the private key, could potentially abuse it because of that. An attacker could issue certificates on the system the software is installed on.

The certificate is self-signed, marked as a CA certificate and valid until January 13, 2027 when installed. The installer "pushes the certificate into the local machine trusted root certificate store of the Windows system on which it is installed".

Updates of the application or removal of the HeadSetup software on a system version 7.3 or earlier were installed on won't remove the certificate. Systems the software was installed on at a point in time remain vulnerable therefore even if the software is no longer installed on these systems.

German security company Secorvo Security Consulting GMHB published a vulnerability report that provides additional details.

Secorvo describes several attack scenarios in the report:

  • Read and modify the complete session of the victim with any seemingly secure HTTPS
    web server
  • Send the victim malicious software or provide with a download link to malicious
    software seemingly coming from an arbitrary well-known software publisher

Sennheiser changed the installation system in newer versions of Sennheiser HeadSetup. Attackers can't create valid certificates anymore directly as Sennheiser kept these secret this time.

sennheiser windows advisory

The researchers could not find any published information about the "policies according to which the SeenComRootCA operates" and consider the "risk that an attacker might fraudulently obtain a certificate significantly higher [..] than for other pre-installed Root CAs or their respective Sub CAs".

Sennheiser has not published an update at the time of writing that resolves the issue but removed downloads of existing setup versions of the application. Microsoft, however, removed the certificates from its Certificate Trust List.

You can track the issue under CVE-2018-17612.

Mitigation

Administrators may remove the certificates in the following way:

  1. Open an elevated command prompt window.
    1. Select Start.
    2. Type cmd.
    3. Right-click on the result and select "run as administrator" from the context menu.
  2. Run the following commands on the command line:
    1. certutil -delstore root "127.0.0.1"
    2. certutil -delstore root "SennComRootCA"

Note: if you need the web-based functionality, remove only the first certificate and wait for an update of the software application.

Active Directory administrators may place the certificates into the Untrusted Certificates store; this is found under Policies\Windows Settings\Security Settings\Public Key Policies\
Untrusted Certificates.

Summary
Microsoft Security Advisory Adv180029 for Sennheiser software
Article Name
Microsoft Security Advisory Adv180029 for Sennheiser software
Description
Microsoft published a security advisory today under ADV180029 -- Inadvertently Disclosed Digital Certificates Could Allow Spoofing today.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. asd said on November 29, 2018 at 2:31 am
    Reply

    Is there anyway to proactively cleanup local certificates from unnecessary certificates?

  2. lushkava said on November 29, 2018 at 9:18 pm
    Reply

    There is a good utility named RCC that inspects root certificates and reports any that are not present in Microsoft’s official Root Certificate Program List. Unfortunately, the website that hosted that utility is down. At the Wilders Security forum, the author has indicated that he does not currently have the time to maintain it.

    Mark Russinovich’s sigcheck is a currently maintained alternative. Unwanted root certificates can be removed with certmgr.msc although, if a truly rogue certificate is encountered, a clean re-install of the OS and one’s applications may be advisable.

  3. Tim2 said on December 5, 2018 at 10:15 pm
    Reply

    If you mean this one –

    https://www.softpedia.com/get/Security/Security-Related/RCC.shtml

    it’s still hosted on Softpedia

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.