CVE-2015-2077

24.02.2015, 23:59

The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, uses the same X.509 certificate private key for a root CA certificate across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging knowledge of this key, as originally reported for Superfish VisualDiscovery on certain Lenovo Notebook laptop products.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 80%

Vendor	Product	Version
komodia	redirector_sdk	-

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOq6Yfn8Fp4

http://blog.erratasec.com/2015/02/some-notes-on-superfish.html#.VOq6Yvn8Fp4

http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/

http://news.lenovo.com/article_display.cfm?article_id=1929

http://support.lenovo.com/us/en/product_security/superfish

http://www.kb.cert.org/vuls/id/529496

http://www.securityfocus.com/bid/72693

http://www.securitytracker.com/id/1031779

http://www.theguardian.com/technology/2015/feb/19/lenovo-accused-compromising-user-security-installing-adware-pcs-superfish

http://www.us-cert.gov/cas/techalerts/TA15-051A.html

http://www.wired.com/2015/02/lenovo-superfish/

https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/

https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOq6Yfn8Fp4

http://blog.erratasec.com/2015/02/some-notes-on-superfish.html#.VOq6Yvn8Fp4

http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/

http://news.lenovo.com/article_display.cfm?article_id=1929

http://support.lenovo.com/us/en/product_security/superfish

http://www.kb.cert.org/vuls/id/529496

http://www.securityfocus.com/bid/72693

http://www.securitytracker.com/id/1031779

http://www.theguardian.com/technology/2015/feb/19/lenovo-accused-compromising-user-security-installing-adware-pcs-superfish

http://www.us-cert.gov/cas/techalerts/TA15-051A.html

http://www.wired.com/2015/02/lenovo-superfish/

https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/

https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339