search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Adtrustmedia PrivDog fails to validate SSL certificates

Vulnerability Note VU#366544

Original Release Date: 2015-02-23 | Last Revised: 2015-02-26

Overview

Adtrustmedia PrivDog fails to validate SSL certificates, making systems broadly vulnerable to HTTPS spoofing.

Description

Adtrustmedia PrivDog is a Windows application that advertises "... safer, faster and more private web browsing." Privdog installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The MITM capabilities are provided by NetFilterSDK.com. Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited. We have confirmed that PrivDog version 3.0.96.0 is affected.

Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions.

Users can test whether they are vulnerable to the PrivDog vulnerability and other similar vulnerabilities by visiting Filippo Valsorda's SSL test page.

Impact

An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Solution

Apply an update

This issue is addressed in PrivDog 3.0.105.0. This version of PrivDog appears to disable SSL interception for connections where the upstream certificate is not valid. Alternatively, consider the following workaround:

Uninstall PrivDog

Uninstalling PrivDog will remove the MITM proxy and the root CA certificate, thus restoring SSL validation to affected systems.

Vendor Information

366544
Expand all

AdTrustMedia

Updated:  February 23, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.privdog.com/advisory.html

Addendum

We have confirmed that PrivDog 3.0.96.0 is affected.

Note that the above advisory has several inaccuracies.

    1. "The issue potentially affects a very limited number of websites."
      This is incorrect, as the impact of disabling SSL validation means that every website visited on a vulnerable system is affected.
    2. "In some circumstances self-signed certificates do not trigger a browser warning but encryption is still provided to the end user, hence security via encryption remains intact."
      While encryption may still be present between the client system and the web server, encryption is only one aspect of SSL or TLS. Authentication capabilities are completely disabled when PrivDog is installed.
    3. "The potential issue is only present if a user visits a site that actually has a self-signed certificate."
      This is incorrect, as any legitimate site that is visited can fall victim to a MITM attack.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    COMODO Security Solutions, Inc.

    Notified:  February 23, 2015 Updated:  February 26, 2015

    Status

      Not Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    COMODO products never distributed the mentioned edition(Desktop version of PrivDog, which has a totally different architecture).

    In security industry, the term "adware" is a type of malicious code which displays unwanted ads. Ad supported apps such as MSN Messenger or Skype or PrivDog are not classified as adware because

    1 - The users consent is received
    2 - It can be disabled or the product can be uninstalled

    We are an antivirus company and like other vendors, follow such methodologies while classifying it.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NetFilterSDK.com

    Updated:  February 23, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    http://netfiltersdk.com/help/ProtocolFilters/FT_SSL.htm

    Addendum

    NetFilter SDK has SSL certificate validation capabilities, however the demonstration application that comes with the SDK doesn't use those capabilities.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base 8.5 AV:N/AC:L/Au:N/C:C/I:P/A:N
    Temporal 8.1 E:H/RL:W/RC:C
    Environmental 8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

    References

    Credit

    This vulnerability was publicly reported by Hanno Böck.

    This document was written by Will Dormann.

    Other Information

    CVE IDs: None
    Date Public: 2015-02-22
    Date First Published: 2015-02-23
    Date Last Updated: 2015-02-26 14:15 UTC
    Document Revision: 70

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.