Microsoft Revokes Trust for Certificates Leaked by D-Link

Microsoft revoked the four digital certificates inadvertently leaked last week by networking gear manufacturer D-Link.

Microsoft today revoked trust for the four digital certificates inadvertently leaked last week by networking gear manufacturer D-Link.

Microsoft said it has modified its Certificate Trust List removing trust for the four certs, which could have been used to sign malicious code used in attacks.

The certs included one belonging to D-Link and another from Alpha Networks, both of which issued by Symantec. The other two, for Keebox and TRENDnet, were issued by GoDaddy.

Microsoft said that client versions of Windows 8, 8.1 and 10, as well as Windows Server 2012, Windows Server 2012 R2, Windows RT and Windows Phone 8 and 8.1 have automatic updaters that will revoke the certs without the need for user interaction. Windows Vista, Windows 7 and Windows Server 2008 and 2008 R2 also have an automatic installer available but it is not automatically installed with the respective operating systems. Those users can either install the automatic updater or can install update 2813430, Microsoft said.

The issue surfaced last Friday when a Dutch tech website reported that private keys used by D-Link to sign its software were found in the company’s open source firmware packages. Dutch security company Fox-IT confirmed the findings as well.

Leaking a legitimate code-signing certificate has potentially serious consequences. The use of stolen digital certificates is a common tactic among malware authors and attackers looking for a way to get their code past security systems. Many security technologies will trust files that are signed and let them pass. Many APT groups have made use of lost or stolen certs to sign malware used in targeted attacks

The keys were found in firmware available for download from D-Link for the company’s DCS-5020L security camera; in addition to the private D-Link keys, passphrases and other information necessary to sign code were also available.

“I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version,” Fox-IT researcher Yonathan Klijnsma told Threatpost. “The version above and below the specific package did not contain the folder in which the code signing certificates resided. A simple mistake of folder exclusion as far as I could see.”

The D-Link certificate, the company said, was published Feb. 27 and was available online for more than six months. It was expired on Sept. 3. It’s unknown whether the certificates were used to sign malware in any active attacks.

Suggested articles

Discussion

  • Douglas Lindsey on

    This has affected the use of the D-LINK DNR-202L local website which admins all of my security cameras. What should I do to fix this?
  • Chris on

    Probably update to the latest version of the web-based tool. Maybe contact the vendor?
  • Orlando MD on

    I spent an hour on the phone with D-link support. They took remote control and fumbled around for over an hour with no solutions. My $600 system is useless now.
  • Larry on

    I just wish I could find a statement from DLink on how they are going to fix this. I have a new camera that also is affected by the revoked cert.
  • altobing on

    Is there any news about this, all my dlink ipcameras and dnr are useless now.
  • Renus on

    I worked around the issue by installing and older version of Java. Version Java 7 update 55. I have not tried newer to test if it works but I am now able to see live view, motion detection grid or anything related to Java.
  • Roland on

    This is so annoying. I preferred doing camera checking and playback on a web browser since the interface is bigger and easier to control. That is gone now without a word from DLink. Very bad. I am able to access playback control from the iOS app, though. It is a saving grace until they fix this issue!
  • Larry on

    I gave technical support access to my system and they said they had it fixed. I even uploaded a beta version of the DNR-202L firmware. Nothing fixed the problem and it remains as before. I don't think they know how to fix it or are unwilling. I will no longer buy DLink equipment for anything since this fiasco.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.