US CERT Critical Advisory: Lenovo Computers

US_Department_of_Homeland_Security_Seal_2By Ron Benvenisti. Popular Lenovo consumer personal computers purchased between 2010 and now which are pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate. Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system. This includes hijacking of private personal information including usernames and passwords without any indication to the user.  Anti-virus and anti-malware programs do not detect this vulnerability.

If your Lenovo system has Superfish installed or you are not sure if it is or not, DO NOT login to any accounts using the computer. This includes ALL accounts from banking, retail online and social media accounts including email accounts. If you must access accounts do so from another secure computer.

US-CERT recommends users and administrators review Vulnerability Note VU#529496 and US-CERT Alert TA15-051A for additional information and mitigation details.

If you do not understand the following information and cannot correct this flaw by yourself, consult a professional can and do not use the computer until the vulnerability is remediated.

Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed and potentially others.

Overview

“Superfish” adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.

Description

Starting in as early as 2010, Lenovo has pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for “Superfish.” All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic “man in the middle” attack.  Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.

Although Lenovo has [1] stated (link is external) they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.

The underlying SSL decryption library from Komodia has been found to be present on other applications, including “KeepMyFamilySecure.”  Please refer to CERT [2] Vulnerability Note VU#529496 for more details and updates.

To detect a system with Superfish installed, look for a HTTP GET request to:

superfish.aistcdn.com

The full request will look like:

http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.

Impact

A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.

Solution

Uninstall Superfish VisualDiscovery and associated root CA certificate

Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case of Lenovo PCs, this includes Superfish Visual Discovery.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on [3] deleting (link is external) and [4] managing (link is external) certificates in the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”

Mozilla provides similar [5] guidance for their software, including the Firefox and Thunderbird certificate stores.

References

Revisions

  • February 20, 2015

As always feel free to contact me at rbenvenistiATintegrissecurity.com, a proud partner of the New York/New Jersey Electronic Crimes Task Force. For free security tools and insights visit: https://www.integrissecurity.com/SecurityTools and http://integrissecurityinsights.blogspot.com/

[TLS]

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 15,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp group!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

Check out the latest on TLS instagram

9 COMMENTS

  1. I have a Lenovo laptop. I have no idea how to check if I have superfish. I read how to check & I still dont know. Is there an easier way. Can I just search for it & see if it shows up ? Thanx.

  2. @InTruth Android is a moving target and therefore hard to keep up with the numerous exposures.The biggest danger is the one that has plagued everything from hard-drives to F-35 missile guidance systems: chips that are coded with malicious code. So, your Smartphone, regardless if it is Android or iOS, may be infected during the manufacturing process in hardware (as well as software). In any case that is for another article. In general be diligent when checking emails and stay away from questionable inks – use an anti-malware/anti-virus program, don’t make purchases or do banking on your phone using public networks (like Optimum, etc or at Barnes & Noble) and hope for the best. The reality is that for any system, big or small, we don’t know what cyber-crimes tomorrow may bring.

Comments are closed.