Dell’s Certificate Authority (CA)
News recently broke about Dell shipping a self-signed root Certificate Authority (CA) certificate and its private key on a wide range of Windows-based systems. This provided an opportunity for attackers to use the CA to generate bogus certificates for popular websites, and subsequently intercept traffic to and from those sites on open networks (like a coffee shop.) Users of affected Dell systems would not receive any warning that the SSL/TLS certificate encrypting their sessions was bogus because the certificate would have been signed by a trusted CA. This technique would even work for sites that use HTTP Public Key Pinning, due to the fact that browsers such as Chrome and Firefox deliberately trust root certificates installed on a system.
Unfortunately, this situation is not unique to Dell. Lenovo had a similar issue earlier this year, dubbed “Superfish”, and other vendors have likewise been impacted by Certificate Authority compromises or mistakes resulting in the issuance of trusted, yet illegitimate, certificates that jeopardize online security.
How does this affect Tanium customers?
Fortunately, Tanium customers have a powerful tool for surveying their environments in seconds to determine if rogue certificates are present on servers, workstations, laptops, or tablets. Tanium’s Jason Moras, Director of Technical Account Management, used the publicly available information about the “eDellRoot” CA in conjunction with Tanium’s Certificate Management capabilities to perform a simple enterprise-wide search for its presence.
In the screenshot below, you can see that the eDellRoot CA was found on 12 of roughly 1400 machines. (Host names have been omitted from this output for privacy). Like any Tanium query, this search took seconds to complete, without relying on previously cached, stale data.
This example used the serial number of the certificate as a search criteria, but we could have just as easily used the certificate issuer CN or organization name as inputs.
In addition to looking for a specific certificate, Tanium can also enumerate all of the certificates within all endpoints’ certificate “stores” to help identify outliers and unexpected entries. The screenshot below shows the output of a Tanium query to list all certificates in the AuthRoot store. The aggregate count of certificates found in the environment may easily be used to spot anomalies.
To use this content, Tanium administrators can navigate to the “Authoring” tab in the Tanium Console, click on “Solutions”, and import the solution named “Certificate Management”.
Tanium’s Certificate Management content is a great example of the flexibility of the Tanium platform, and its ability to detect, respond and protect against a broad spectrum of threats to online security.
Dave Hull, Director