Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing
Komodia Redirector SDK is a self-described "interception engine" designed to enable developers to integrate proxy services and web traffic modification (such as ad injection) into their applications. With the SSL Digestor module, HTTPS traffic can also be manipulated. This is accomplished by installing a root CA certificate into browser trusted certificate stores, enabling the proxy to effectively man-in-the-middle all web traffic without raising any flags for the end-user.
In multiple applications implementing Komodia's libraries, such as Superfish Visual Discovery and KeepMyFamilySecure, the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys. Note that these keys appear to be distinct per application, though the same methods have proven successful in revealing the private keys in each instance.
An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.
Apply an update
Uninstall software using Komodia Redirector SDK and associated root CA certificates
The CERT/CC wishes to thank the following for their contributions to this report:Marc Rogers, https://twitter.com/marcwrogersRob Graham, https://twitter.com/erratarobTwitter user TheWack0lian https://twitter.com/TheWack0lianChris Palmer, https://twitter.com/fugueishFilippo Valsorda, https://twitter.com/FiloSottile
This document was produced as a collaborative effort of the CERT/CC Vulnerability Analysis team.
|Date First Published:||2015-02-19|
|Date Last Updated:||2015-03-17 18:21 UTC|