Dell support tool responsible for eDellRoot problems

The self-signed root certificate that has left Dell customers at risk was placed on affected systems after an August update to the Dell Foundation Services application.

The certificate, eDellRoot, leaves consumers exposed to various attacks. A criminal could use the certificate to manipulate traffic or monitor over-the-air traffic in public to obtain access to sensitive information such as passwords or email contents.

Researchers at Duo Labs examined a Dell laptop in-house and discovered the eDellRoot certificate, confirming previous reports that the certificate is shipped with the associated private key.

The researchers then turned to the Censys project and discovered the certificate’s fingerprint in several locations, confirming Dell has intentionally shipped identical keys in other models.

Worse, one of the systems discovered by Duo Labs was using the eDellRoot certificate to provide web services over HTTPS was a SCADA system. In order to protect the innocent, they withheld the name of the organization responsible for this massive misconfiguration.

“How this particular misconfiguration happened is unclear, but what is clear, is that this certificate is showing up in some extremely unusual and frankly concerning places,” a report from Duo Labs noted.

Duo Labs researchers also confirmed that eDellRoot was delivered to systems on August 18 as part of an update to the Dell Foundation Services (DFS) application.

Dell doesn’t fully explain the exact function of the application, other than noting that it “provides a core set of foundational services facilitating customer serviceability, messaging and support functions.”

In a statement published by Salted Hash, Dell hinted that an application was responsible, by explaining the eDellRoot was loaded on to systems in order to make “servicing PC issues faster and easier for customers.”

Dell updated the DFS application on Monday, shortly after word of the rogue certificate started to spread. However, the software update – marked as Urgent by Dell – doesn’t contain a list of changes.

In their previous statement, Dell said they would be offering a tool to remove the certificate, as well as halting its use going forward.

Based on the list of compatible systems for DFS, the eDellRoot problem could impact a number of platforms including, XPS, OptiPlex, Inspiron, Vostoro, and Precision.

As mentioned, Dell is planning to provide instructions and support for getting the eDellRoot certificate off affected systems. However, for those doing manual removal, pay attention to what’s being deleted, the Duo Labs researchers say.

“Many people have indicated that removing the eDellRoot certificates from the root and personal certificate stores is sufficient to protect users,” the Duo Labs report explains.

“This is not entirely accurate; you must remove the eDell plugin entirely or the certificate will be reinstalled whenever it is loaded. This can be accomplished by deleting the ‘Dell.Foundation.Agent.Plugins.eDell.dll’ module from the system. Failure to do so may result in continued exposure to this security flaw.”

In Q3 2015, Dell shipped more than 10 million PCs, excluding handhelds, tablets, and servers. It isn’t clear how many of those systems are hosting a copy of the compromised certificate.