A number of security researchers recently discovered that Dell laptops come pre-installed with an additional root certificate call eDellRoot. Since the private key is also available on the machine this exposes their customers to the risk of a Man-in-the-Middle (MITM) attack. In a MITM attack, the attacker sits on the network between server and client and uses the eDellRoot certificate to intercept and manipulate HTTPS connections. This vulnerability leaves anyone using these Dell laptops at risk for sensitive data exposure and even infections with malicious payload, all under the cover of a trusted connection.
Dell has released an automatic update to uninstall the certificate; however, we can’t assume that all affected machines will receive this update in a timely fashion. In the meantime, the crucial next step is to know immediately which machines have the eDellRoot certificate, so that they can be fixed. We’d recommend using the power of our Cloud Agent and AssetView query service to instantly determine which machines are at risk and automatically group and tag these assets for remediation.
Find Affected Machines Instantly and Continuously
With a simple query, you can instantly find all machines that have eDellRoot installed. You can also convert this query into a dynamic dashboard, to constantly monitor the scope and impact of this vulnerability. Continuous monitoring is essential, because if any of these Dell computers are ever set back to the factory default, the eDellRoot certificate will once again be restored and the vulnerability reinstated.
Here’s the specific query syntax you can use to find systems with the eDellRoot certificate:
manufacturer.name=dell and vulnerability.vulnerabilities.qid=1018
Qualys Cloud Agent transmits installed Certificate Authorities to the Qualys platform and makes them available for reporting in AssetView. That way, you can continue to monitor the health and validity of all of your SSL certificates.