Vulnerability Note VU#529496
Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys
Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing
Komodia Redirector SDK is a self-described "interception engine" designed to enable developers to integrate proxy services and web traffic modification (such as ad injection) into their applications. With the SSL Digestor module, HTTPS traffic can also be manipulated. This is accomplished by installing a root CA certificate into browser trusted certificate stores, enabling the proxy to effectively man-in-the-middle all web traffic without raising any flags for the end-user.
In multiple applications implementing Komodia's libraries, such as Superfish Visual Discovery and KeepMyFamilySecure, the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys. Note that these keys appear to be distinct per application, though the same methods have proven successful in revealing the private keys in each instance.
An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.
Apply an update
Uninstall software using Komodia Redirector SDK and associated root CA certificates
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Atom Security, Inc||Affected||20 Feb 2015||23 Feb 2015|
|DyKnow||Affected||17 Mar 2015||17 Mar 2015|
|Infoweise||Affected||22 Feb 2015||22 Feb 2015|
|KeepMyFamilySecure||Affected||19 Feb 2015||23 Feb 2015|
|Komodia||Affected||19 Feb 2015||02 Mar 2015|
|Kurupira||Affected||-||20 Feb 2015|
|Lavasoft||Affected||20 Feb 2015||25 Feb 2015|
|Lenovo||Affected||19 Feb 2015||23 Feb 2015|
|Qustodio||Affected||19 Feb 2015||26 Feb 2015|
|Superfish||Affected||19 Feb 2015||23 Feb 2015|
|UtilTool Ltd||Affected||02 Mar 2015||02 Mar 2015|
|Websecure Ltd||Affected||20 Feb 2015||26 Feb 2015|
CVSS Metrics (Learn More)
The CERT/CC wishes to thank the following for their contributions to this report:
Marc Rogers, https://twitter.com/marcwrogers
Rob Graham, https://twitter.com/erratarob
Twitter user TheWack0lian https://twitter.com/TheWack0lian
Chris Palmer, https://twitter.com/fugueish
Filippo Valsorda, https://twitter.com/FiloSottile
This document was produced as a collaborative effort of the CERT/CC Vulnerability Analysis team.
- CVE IDs: Unknown
- US-CERT Alert: TA15-051A
- Date Public: 19 Feb 2015
- Date First Published: 19 Feb 2015
- Date Last Updated: 17 Mar 2015
- Document Revision: 129
If you have feedback, comments, or additional information about this vulnerability, please send us email.