Vulnerability Description
Sennheiser HeadSetup 7.3.4903 places Certification Authority (CA) certificates into the Trusted Root CA store of the local system, and publishes the private key in the SennComCCKey.pem file within the public software distribution, which allows remote attackers to spoof arbitrary web sites or software publishers for several years, even if the HeadSetup product is uninstalled. NOTE: a vulnerability-assessment approach must check all Windows systems for CA certificates with a CN of 127.0.0.1 or SennComRootCA, and determine whether those certificates are unwanted.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sennheiser | Headsetup | 7.3.4903 |
| Microsoft | Windows 10 | - |
| Microsoft | Windows 7 | - |
| Microsoft | Windows 8.1 | - |
| Microsoft | Windows Rt 8.1 | - |
| Microsoft | Windows Server 2008 | - |
| Microsoft | Windows Server 2012 | - |
| Microsoft | Windows Server 2016 | - |
| Microsoft | Windows Server 2019 | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106045Third Party AdvisoryVDB Entry
- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180029PatchVendor Advisory
- https://www.secorvo.de/publikationen/headsetup-vulnerability-report-secorvo-2018ExploitMitigationTechnical Description
- http://www.securityfocus.com/bid/106045Third Party AdvisoryVDB Entry
- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180029PatchVendor Advisory
- https://www.secorvo.de/publikationen/headsetup-vulnerability-report-secorvo-2018ExploitMitigationTechnical Description
FAQ
What is CVE-2018-17612?
CVE-2018-17612 is a vulnerability with a CVSS score of 7.5 (HIGH). Sennheiser HeadSetup 7.3.4903 places Certification Authority (CA) certificates into the Trusted Root CA store of the local system, and publishes the private key in the SennComCCKey.pem file within the...
How severe is CVE-2018-17612?
CVE-2018-17612 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17612?
Check the references section above for vendor advisories and patch information. Affected products include: Sennheiser Headsetup, Microsoft Windows 10, Microsoft Windows 7, Microsoft Windows 8.1, Microsoft Windows Rt 8.1.