Home / malware eDellRoot
First posted on 13 January 2016.
Source: SecurityHomeAliases :
There are no other names known for eDellRoot.
Explanation :
The flaw affects a root certificate called DSDTestProvider, and can allow hackers to launch a man-in-the-middle attack to snoop on internet traffic, impersonate legitimate websites, install malicious software and even decrypt HTTPS traffic.
The true scope of the problem remains unclear, but it has been confirmed that recent Dell models, including the XPS and Inspiron 5000 series, come pre-loaded with the self-signed digital certificates.
Dell has admitted that a piece of software called Dell System Detect comes with the DSDTestProvider certificate, which it claims has "similar characteristics" to the much-publicised eDellRoot flaw.
"The impact is limited to customers who used the ?detect product' functionality on our support site between 20 October and 24 November 2015," the firm said in a statement.
"Like eDellRoot, the support certificate in question was designed to make it faster and easier for our customers to get support."
Superfish 2.0
Dell faced mounting criticism earlier this week after the discovery of a major security vulnerability pre-installed in even the most up-to-date computer hardware which can leave sensitive data wide open to attack.
In similar way to the much-publicised Superfish debacle that hit Lenovo less than a year ago, the security flaw stems from a certificate named eDellRoot which can be exploited to intercept and modify web traffic, including usernames and passwords, while passing through a system connected to open WiFi.
The flaw was exposed on 22 November 2015 by security researcher Joe Nord, who discovered the eDellRoot certificate on a Dell Inspiron 5000 series notebook 2015 model.
Dell has released a statement admitting to the problem and outlining the steps it is taking to resolve the situation.
"Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs unintentionally introduced a security vulnerability," the firm said.
The certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting issues with their hardware, according to Dell.
"The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it."
The firm has stressed that the pre-installed certificate is "not malware or adware".
"It was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers," the statement continued.
"This certificate is not being used to collect personal customer information. It's also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."
Dell has also released step-by-step instructions in how remove the certificate, and will push a software update to fully solve the problem.
"Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward," said the firm.
"Your trust is important to us and we are actively working to address this issue."Solution :
Remove eDellRoot and DSDTestProvider
- Open Task Manager by right-clicking the taskbar, the long horizontal bar at the bottom of the screen, clicking and select Task Manager.
- Select the Services tab in the Task Manager window.
- Open Services at the bottom of the Services tab.
- Search for "Dell Foundation Services" and select.
- Click Stop Service.
- The service should now be stopped.
- Open Windows Explorer, navigate to c:Program FilesDellDell Foundation Services and delete the file URDell.Foundation.Agent.Plugins.eDell.dll.
- If a warning is shown, click continue to delete the file.
- Press the Windows logo key on the keyboard and type URcertmgr.msc and then press the Enter key.
- You may be prompted to allow the program to make changes on the computer. Click on Yes.
- When the certificate management window is open, double-click trusted root certification authorities in the left pane.
- Select the DSDTestProvider certificate in the right pane.
- Remove the certificate by clicking on the X icon in the toolbar.<br>
Warning: make sure you only select the DSDTestProvider certificate, as in the example below, before pressing the delete button is clicked. Removal of another certificate may cause your system to fail.
- You are prompted to confirm the removal of the DSDTestProvider certificate. Click on Yes.
- In the right pane, select the eDellRoot certificate
- Remove the certificate by clicking on the X icon in the toolbar.
Warning: make sure that only the certificate eDellRoot is selected. See the example below before clicking the delete button is clicked. Removal of another certificate may cause your system to fail.
- You are prompted to confirm the removal of the certificate "eDellRoot". Click on Yes.
- After removal of both the DSDTestProvider as the eDellRoot to the certificate must both certificates no longer appear in the Windows Certificate Manager
- Double-click the personal folder in the left pane. Double-click the Certificates folder.
Note: Or DSDTestProvider or eDellRoot whether or not the certificates in the personal folder-> certificates, depends on how the certificates were originally installed.
- Select the DSDTestProvider certificate in the right pane.
- Remove the certificate by clicking on the X icon in the toolbar.
- You are prompted to confirm the removal of the DSDTestProvider certificate. Click on Yes.
- Select the eDellRoot certificate in the right pane.
- Remove the certificate by clicking on the X icon in the toolbar.
- You are prompted to confirm the removal of the certificate eDellRoot. Click on Yes.
- After removal of both DSDTestProvider as eDellRoot to the both certificates should no longer appear in the Windows Certificate Manager.
- Restart your pc.
- The DSDTestProvider and eDellroot certificates are now removed from your computer.
Last update 13 January 2016