Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.
The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.
We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.
Your trust is important to us and we are actively working to address this issue. We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately.
Since Monday, our teams have been working hard to address the security issue caused by the eDellRoot certificate. When we became aware of the issue, we immediately dug into all our applications that get pre-loaded on our PCs. We can confirm we have found no other root certificates on our factory installed PC images. What we did find was that the Dell System Detect application and its DSDTestProvider root certificate had similar characteristics to eDellRoot. Thank you again Hanno Böck for calling this to our attention, as well as topg who commented below.
In the case of Dell System Detect, our customer opts to download the software proactively to interact with our support website so we can provide a better and more personalized experience. Like eDellRoot, the certificate in question was designed to make it faster and easier for our customers to get support. Unlike eDellRoot, this certificate is not related to software that was pre-installed on our systems.
The impact from Dell System Detect is limited to customers who used the “detect product” functionality on our support site between October 20 and November 24, 2015. The application in question was removed from the support site on November 24 and a replacement application without the certificate is now available. We are proactively pushing a software update to address the issue for our consumer systems. Our commercial customers can either manually remove the certification or use their system management tools like SCCM to do so (we will be providing instructions on this shortly). If you choose the manual option, we have updated instructions on our site http://www.dell.com/support/edellroot to permanently remove this certificate. Note, these are updated instructions for removing both eDellRoot and DSDTestProvider from any folders where they may be stored. If you previously uninstalled eDellRoot, we recommend you go through the process again to ensure a thorough sweep.
WIRED has noted that “security is far easier to promise than it is to achieve.” We know that your trust is harder to win than it is to lose. Once we know we have addressed these issues and our customers have what they need to ensure their systems are safe, we will provide an account of how the issues were introduced – not only for your information, but so we can improve our processes.
In today’s world of ever-increasing cybersecurity threats, we all need to be vigilant. And that is the promise that we make - Dell will remain ever vigilant against security threats and we will respond with the utmost speed and accuracy when we become aware of issues that can impact our customers.
Today Microsoft released Security Advisory 3119884 that will place both the eDellRoot and DSDTestProvider certificates into the Windows Certified Trust List (CTL) as non-trusted certificates, so even if the certificates are installed, they cannot be used. CTL updates are automatically pushed to both consumer and commercial Windows PCs. Most systems with Internet access should pick up the update within the next 24 hours. For more information, see the Security Advisory. This security step is in addition to actions already taken by Dell, as outlined in this post early last week, and by partners like Microsoft and Intel who added the patch to their anti-virus, anti-malware tools on November 25 to ensure both certificates were no longer usable.
Jeff Clarke, our vice chairman and president of Client Solutions, came into the studio to tape a short message to our customers and the security community to underscore our commitment to your security, to getting these issues resolved, and to being forthcoming with information as we have it.
With this latest important step by Microsoft and the proactive security updates driven by Dell complete, we are now turning our full attention to understanding what happened and how to prevent it in the future. We will be sure to update you here when we have more information to share.
To post a comment
login or create an account
What about the equally problematic DSDTestProvider root certificate that seems to have been installed by Dell System Detect on my XPS 13? It has the same properties as eDellRoot & also includes a private key ...
What this indicates is that the certificate was generated outside an HSM; or was exported from HSM or was exported from it. Either would be very bad certificate management practice.
I read about this vulnerability in an article on BBC online. Has not hit the US news?
Big issue: no where (even in the linked instructions) does it say which PCs are affected? The instructions imply that only Windows 8.1/10 machines are affected? Desktops and laptops?
Is there a silent switch for the automatic removal tool method? We would like to be able to push it out via SCCM.
For example: eDellRootCertFix.exe /quiet
For the sake of the rest of the industry, please publish an account of why this happened - the security world would like to understand the failures in process and thought that led to the creation of a relatively complex use of cryptographic components in a way that would ring alarm bells for most practiced cryptography users. If it "just seemed like a good idea" to some developer who didn't speak to a security professional, or it was reviewed by a security team, those are different problems, and which one it was will add to the corpus of knowledge used by application security professionals to improve security involvement in development process. Don't let this languish in the realm of "oops, we did a bad thing, and now we made it better".
You have a responsibility to tell us what the bad thing was, and what steps you did to make it better - otherwise, the only responsible conclusion to draw is that you're idiots, you employ idiots, and you'll continue to employ idiots who do idiotic things.
I'm fairly certain that's not the case, but I think the security community needs you to explain why that's not true.
@ameyer117 Try this command for SCCM deployment:
certutil.exe -delstore root "6b c5 7b 95 18 93 aa 97 4b 62 4a c0 88 fc 3b b6"
That's the eDellRoot serial number.
after running the .exe I've noticed that eDellRoot still exist in the personal certificate store in local computer certificates. Why does it not delete the certificate?
Also we'd like to deploy it via GPO, any chance of a .MSI?
I ran the eDellRootCertFix.exe on my new (just last week) Dell OptiPlex 7020 running Win10. Now I can't access my start menu. I get a big green box that says "Critical Error. Your start menu isn't working. We'll try to fix it the next time you sign in." Logging out and back in again does not fix the problem. Rebooting my computer does not fix the problem. Dell's RootCertFix program has made my computer inoperable. Any suggestions on how to make my computer work again?
This is one of those reasons I always uninstall anything with "Dell" in the name from newly acquired systems, including "Dell Foundation Services". Unfortunately, I don't know whether simply uninstalling Dell Foundation Services actually removes the offending certificate.
The "fix-tool" released today appears to solve the problem, but for those of us that have to manage hundreds or even thousands of systems, it is "noisy" popping up "you're not affected" or "you've been fixed" boxes which are intrusive to the user. So we can't script a rollout of that tool.
Can we get a silent version that simply writes log results to a file so IT administrators can simply retrieve the file to interpret the success/failure results? Or even just a silent version? This would be a 3-minute issue for me to fix by rolling out to the 100+ companies we support if it weren't for the non-silent nature of the current fix tool.
That works, except the Word doc instructions Dell provides shows more steps. Specifically, when the 'Dell Foundation Services' service first starts, it re-installs the cert. So, first, one has to stop that service and delete the Dell.Foundation.Agent.Plugins.eDell.dll" file (or uninstall the software completely).
I use XP SP3 on a Dell Vostro 200 PC. Can I assume this does not apply to me?
@Louis D - Any commercial and consumer systems that received an update to Dell Foundation Services beginning in August 2015 were impacted. This update was removed on 11/23 and was replaced by a new update that will eliminate the root certificate from systems. Commercial customers who reimaged their systems without the Dell Foundation Services application were not impacted.
@gerben_z - Sorry to hear of the issue. For technical assistance contact Dell Customer Service or Dell Technical Support (links above under "Content Reminder"), or if you are on Twitter you can reach out to @DellCaresPro for assistance.
@topg - Wanted to let you know that our team is looking into this, as well, and we should have an update to address it very soon.