A recent vulnerability in Sennheiser’s headphone management utility illustrates the risk of unexpected additions to the Microsoft windows certificate store.
During installation, the Sennheiser software installed a self-signed root certificate into the computer’s trusted root CA certificate store. A copy of the certificates’ private key was also copied into application’s installation directory. Security research firm Secorvo recently disclosed that although the private key was encrypted, it was encrypted with the easily-guessable passphrase of the vendor’s name which makes it trivial for an attacker to decrypt the key and use it to further their attack.
As a result of this vulnerability (CVE-2018-17612), the researchers were able to create and install trusted wildcard certificates for various websites, including Google. Any malicious user who was aware of the flaw would be able to do the same, creating trusted certificates for any web domain which would be treated as valid on any other Windows computer which has ever had the Sennheiser software installed on it – compromising the HTTPS/TLS security.
Reminiscent of the Superfish software which contained a similar flaw and came pre-installed on Lenovo laptops in 2014, this story illustrates the risks posed by unexpected and unauthorised changes to the trusted certificate store.
Microsoft has issued a security advisory regarding these types of certificate-based vulnerabilities and has also updated the security trust list within the WIndows operating system to remove user-mode trust for these certificates.
How to check your certificate store for potentially rogue certificates
This story raises the question of how to check the certificate store for other unexpected certificates which could compromise the security of the certifiates used by the computer. The Sysinternals Sigcheck tool by Microsoft’s Mark Russinovich is a useful utility in this situation. It can be used to check all the installed certificates on the local system and will identify any which are not trusted according to the Microsoft trusted root certificate list.
Sigcheck can be obtained from the Sysinternal website at the following URL:
Executing Sigcheck with the -tv operator will have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list i.e. suspicious certificates.
A healthy report will produce the result: No certificates found.