Microsoft on Tuesday warned users that digital certificates were disclosed in two apps, which could allow a bad actor to remotely spoof websites or content.
Headset software company Sennheiser HeadSetup, Microsoft said, had inadvertently installed the root certificates onto two apps, HeadSetup and Headsetup Pro.
Because the certificate and private key were the same for anyone who installed these two apps, a remote attacker could decrypt the private key for the systems, compromising the security of the Windows devices the apps are installed on.
Unauthorized digital certificates could allow spoofing, phishing, or man-in-the-middle attacks. Once hackers access the private key, they could purport to be an arbitrary well-known software publisher and send victims malicious software or phishing emails.
“Microsoft is publishing this advisory to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates,” the tech giant said in its advisory. “The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication.”
The flaw, CVE-2018-17612, has a CVSS 3.0 ranking of 7.5, meaning it is “high” severity.
The flaw exists because the private key has been published in the SennComCCKey.pem file within the public software distribution for both impacted HeadSetup apps.
Sercovo Security researchers, who discovered the vulnerability in July and disclosed an analysis of the flaw on Tuesday, said that the flaw enables the secret signing key of one of the planted root certificates to be easily obtained by an attacker.
This allows a bad actor to sign and issue technically trustworthy certificates – and poses a danger to impacted users who could become victim to certificate forgery, allowing an attacker to send trustworthy signed software or acting as an authority authorized by Sennheiser.
“Adding a Trusted Root CA certificate is a severe vulnerability, if a potential attacker has access to the associated private key,” researchers said in an analysis. “Such an attacker can issue forged certificates at his or her own discretion that will be automatically validated as valid and hence trusted on the affected vulnerable system.”
Sennheiser HeadSetup for its part urged impacted users to update to the latest version of the apps’ software, including Headsetup Pro v.2.6.8235; Headsetup: v.8.1.6114 (for PC) and v. 5.3.7011 (for Mac).
“Following a vulnerability identified in Sennheiser Headsetup and Headsetup Pro on November 9, new versions of all software have been made available,” the company said in a statement on its website.
