TA15-051A: Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA15-051A: Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing [ https://www.us-cert.gov/ncas/alerts/TA15-051A ] 
02/20/2015 07:07 AM EST 
Original release date: February 20, 2015

Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed and potentially others.

Overview

“Superfish” adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) 
certificate, allowing an attacker to spoof HTTPS traffic.

Description

Starting in as early as 2010, Lenovo has pre-installed Superfish VisualDiscovery spyware on some of their PCs. This 
software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections 
(those using HTTPS), the software installs a trusted root CA certificate for “Superfish.” All browser-based encrypted 
traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application - a 
classic “man in the middle” attack.  Because the certificates used by Superfish are signed by the CA installed by the 
software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can 
easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be 
trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be 
spoofed without a warning from the browser.

Although Lenovo has [1] stated [ http://news.lenovo.com/article_display.cfm?article_id=1929 ] they have discontinued 
the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed 
will continue to be vulnerable until corrective actions have been taken.

The underlying SSL decryption library from Komodia has been found to be present on other applications, including 
“KeepMyFamilySecure.”  Please refer to CERT [2] Vulnerability Note VU#529496 [ http://www.kb.cert.org/vuls/id/529496 ] 
for more details and updates.

To detect a system with Superfish installed, look for a HTTP GET request to:

superfish.aistcdn.com

The full request will look like:

http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer 
is turned off.

Impact

A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from 
the browser.

Solution

*Uninstall Superfish VisualDiscovery and associated root CA certificate*

Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case of Lenovo PCs, this 
includes Superfish Visual Discovery.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the 
certificate. Microsoft provides guidance on [3] deleting [ https://technet.microsoft.com/en-us/library/cc772354.aspx ] 
and [4] managing [ http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates ] certificates in 
the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification 
authority certificate is issued to “Superfish, Inc.”

Mozilla provides similar [5] guidance [ https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate ] for their 
software, including the Firefox and Thunderbird certificate stores.

References

  * [1] Lenovo Statement on Superfish (external link) [ http://news.lenovo.com/article_display.cfm?article_id=1929 ] 
  * [2] CERT VU#529496 (external link) [ http://www.kb.cert.org/vuls/id/529496 ] 
  * [3] Delete a Certificate (external link) [ https://technet.microsoft.com/en-us/library/cc772354.aspx ] 
  * [4] View or Manage a Certificate (external link) [ 
http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates ] 
  * [5] Deleting a root certificate (external link) [ 
https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate ] 

Revision History

  * February 20, 2015 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]