Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about CVE-2018-17612 vulnerability analysis, which may not be well understood by many people. In order to let you know more, Xiaobian summarized the following contents for you. I hope you can gain something according to this article.

preface

When users install Sennheiser's HeadSetup software, few people know that the software also installs a root certificate in the Trusted Root Certificate Authorities repository. In addition, it installs an encrypted version of the certificate private key, which is a very insecure behavior.

Yes, this certificate and its corresponding private key are the same for anyone who installs the software. This allows an attacker to successfully decrypt the key and issue a forged certificate under the domain name of another website, and when the user visits these websites, the attacker will be able to sniff the network traffic of the targeted user by performing a man-in-the-middle attack.

deconstruction

Although these certificate files are deleted when users uninstall HeadSetup software, trusted root certificates are not removed. This allows attackers with the correct private key to continue sniffing attacks after the target user has uninstalled HeadSetup.

When HeadSetup is installed, it stores two certificates on the target computer. The software uses these certificates as well as TLS-encrypted Web sockets to communicate with the headset. The first certificate is named SennComCCCert.pem, which is a root certificate and SennComCCKey.pem is the certificate's private key.

When the researchers analyzed the private key file, they found that it was encrypted using AES-128-CBC and needed to find the correct password to decrypt it. Since HeadSetup also requires this decryption key, this password must be stored somewhere in the software, and it turns out that the password is stored in a file called WBCListener.dll.

"To decrypt the private key file, we need to figure out what encryption algorithm and key it uses," the researchers explained."We first guessed that the vendor used the common AES encryption algorithm (CBC mode, 128-bit key). In the HeadSetup installation directory, we found only one executable code containing the filename 'SennComCCKey.pem' and the DLL file 'WBCCListener.dll'. We searched the DLL for strings containing "AES" and found the AES-128.cbc logo, stored in plaintext. "

After converting the decryption private key to standard OpenPEM SSL, the researchers needed a password to use it. This password is stored in a file called WBCCServer.properties:

With the private key to access the root certificate, researchers can generate a large number of certificates that can be used to sign traffic for google.com, sennheiser.com, and other headset manufacturers, such as jbl.com, harmankardon.com, and bose.com.

Since this certificate was created using the same private key, other devices are not immune either. Attackers will then be able to exploit this certificate to perform man-in-the-middle attacks, ultimately intercepting and tampering with user traffic to target sites.

This also means that attackers can create fake certificates for bank websites and then steal online banking login credentials, credit card information and other sensitive information from target users.

Remove insecure root certificates

Researchers have reported the issue to Sennheiser, which has been assigned the ID CVE-2018-17612. Sennheiser also said that an updated version will be released in early December, which will remove trusted root certificates and ensure that no certificates are left behind after the software is uninstalled.

At the same time, Sennheiser also released a Batch file that users can use to remove certificates. The researchers strongly recommend that users who have HeadSetup installed run the script as soon as possible to protect themselves.

Microsoft also issued a security bulletin (ADV180029) explaining that Microsoft has released an updated list of trusted certificates and removed malicious certificates from the original list.

After reading the above, do you have any further understanding of how the vulnerability analysis of CVE-2018-17612 is? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.