TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing [ https://www.us-cert.gov/ncas/alerts/TA15-051A ] 
02/20/2015 07:07 AM EST 
Original release date: February 20, 2015 | Last revised: February 24, 2015 
Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed.

Overview

Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) 
certificate, allowing an attacker to spoof HTTPS traffic.

Description

Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software 
intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those 
using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to 
the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic 
man-in-the-middle attack.  Because the certificates used by Superfish are signed by the CA installed by the software, 
the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be 
recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a 
system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a 
warning from the browser.

Although Lenovo has stated [ http://news.lenovo.com/article_display.cfm?article_id=1929 ] they have discontinued the 
practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will 
continue to be vulnerable until corrective actions have been taken.

To detect a system with Superfish installed, look for a HTTP GET request to:

superfish.aistcdn.com

The full request will look like:

http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer 
is turned off.

Superfish uses a vulnerable SSL decryption library by Komodia. Other applications that use the library may be similarly 
affected. Please refer to CERT Vulnerability Note VU#529496 [ http://www.kb.cert.org/vuls/id/529496 ] for more details 
and updates.

Impact

A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from 
the browser.

Solution

*Uninstall Superfish VisualDiscovery and associated root CA certificate*

Users should uninstall Superfish VisualDiscovery. Lenovo has provided a tool to uninstall Superfish  [ 
http://support.lenovo.com/us/en/product_security/superfish_uninstall ]and remove all associated certificates.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the 
certificate. Microsoft provides guidance on deleting [ https://technet.microsoft.com/en-us/library/cc772354.aspx ] and 
managing certificates [ http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates ] in the 
Windows certificate store. In the case of Superfish VisualDiscovery, the offending trusted root certification authority 
certificate is issued to “Superfish, Inc.”

Mozilla provides similar guidance [ https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate ] for their 
software, including the Firefox and Thunderbird certificate stores.

References

  * [1] Lenovo Statement on Superfish [ http://news.lenovo.com/article_display.cfm?article_id=1929 ] 
  * [2] CERT VU#529496 [ http://www.kb.cert.org/vuls/id/529496 ] 
  * [3] Delete a Certificate [ https://technet.microsoft.com/en-us/library/cc772354.aspx ] 
  * [4] View or Manage a Certificate [ 
http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates ] 
  * [5] Deleting a root certificate [ https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate ] 
  * [6] Lenovo Superfish Uninstall Instructions [ http://support.lenovo.com/us/en/product_security/superfish_uninstall 
] 

Revision History


  * February 20, 2015: Initial release 
  * February 20, 2015: Clarified software release dates 
  * February 24, 2015: Updated description and solution details 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]