Back to overview

Threat intelligence

Komodia Certificate Compromise affects Superfish and other software (Feb 23,2015)

by Security News

The private key used by Komodia SDK that ships pre-installed with some Lenovo laptops has been compromised, and presents a breakdown of trust between web browsers and secure websites. Komodia SDK-based software establishes, what is essentially a Man-in-the-Middle (MitM) between your browser and the HTTPS/SSL sites you visit, for example, like your bank. It creates a public-private key pair and inserts the public key as a Root Certificate Authority (CA) certificate on your machine. This means that an attacker can use this cracked private key to create spoofed SSL Certificate for a spoofed site. The Komodia SDK-based software will trust the certificate that has been installed into your Root CA store and you will not notice a thing. The only thing you will notice if you click on the lock icon in your browser address bar is that the certificate from your bank has an "Issued by: Superfish, Inc.". Other software that uses the Komodia SDK includes PrivDog and others. PrivDog, for example, is advertised as a privacy and secure browsing program. Like Superfish it creates a MitM between your browser and secure websites.

The following image shows a browser with PrivDog installed:

This image shows the view from your browser:

This image shows the PrivDog Root Certificate Authority installed on your machine:

Dell SonicWALL UTM protects our customers with the following:

  • IPS:10756 Komodia SSL Certificate Superfish
  • IPS:10758 Komodia SSL Certificate PrivDog
  • IPS:10770 Komodia SSL Certificate ArcadeGiant
  • IPS:10769 Komodia SSL Certificate Cart Crunch
  • IPS:10790 Komodia SSL Certificate UtilTool Ltd
  • IPS:10789 Komodia SSL Certificate Kurupira Webfilter
  • IPS:10788 Komodia SSL Certificate Keep My Family Secure
  • IPS:10787 Komodia SSL Certificate Atom Security Staff-cop
  • IPS:10786 Komodia SSL Certificate Qustodio Technologies
  • IPS:10777 Komodia SSL Certificate Lavasoft WebCompanion
  • SPY:10758 Superfish
  • GAV:991 Superfish.LN
  • GAV:15018 SuperFish.AG
  • GAV:15017 SuperFish.OB
  • GAV:15016 SuperFish.CC
  • GAV:15013 SuperFish.WT
  • GAV:15012 SuperFish.CT
  • GAV:15011 SuperFish.CM
  • GAV:15010 SuperFish.OPT
  • GAV:15009 SuperFish.SM
  • GAV:18465 Superfish.JS
  • GAV:37070 Superfish.LN_3
  • GAV:37069 SuperFish.LN_2
  • GAV:739182 Superfish.JS_2

This vulernability was not assigned a CVE.

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.