Executive Summary

Informations
Name TA15-051A First vendor Publication 2015-02-20
Vendor US-CERT Last vendor Modification 2015-02-24
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.


Description


Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack.  Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.


Although Lenovo has stated they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.


To detect a system with Superfish installed, look for a HTTP GET request to:


superfish.aistcdn.com


The full request will look like:


http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]


Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.


Superfish uses a vulnerable SSL decryption library by Komodia. Other applications that use the library may be similarly affected. Please refer to CERT Vulnerability Note VU#529496 for more details and updates.


Impact


A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.


Solution


Uninstall Superfish VisualDiscovery and associated root CA certificate


Users should uninstall Superfish VisualDiscovery. Lenovo has provided a tool to uninstall Superfish and remove all associated certificates.


It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store. In the case of Superfish VisualDiscovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”


Mozilla provides similar guidance for their software, including the Firefox and Thunderbird certificate stores.


Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA15-051A.html

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-310 Cryptographic Issues
50 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

Snort® IPS/IDS

Date Description
2015-04-02 SuperFish adware outbound connection attempt
RuleID : 33645 - Revision : 2 - Type : PUA-ADWARE
2015-03-31 SuperFish adware outbound connection attempt
RuleID : 33580 - Revision : 2 - Type : PUA-ADWARE

Nessus® Vulnerability Scanner

Date Description
2015-02-20 Name : The remote Windows host is affected by a man-in-the-middle vulnerability.
File : smb_superfish_root_ca_installed.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2015-04-02 21:27:07
  • Multiple Updates
2015-03-31 21:26:22
  • Multiple Updates
2015-02-25 21:29:47
  • Multiple Updates
2015-02-25 05:26:27
  • Multiple Updates
2015-02-24 09:22:09
  • Multiple Updates
2015-02-20 21:40:44
  • First insertion