Why it matters: Connecting to a site with HTTPS gives users a sense of privacy and security. For users of Sennheiser's HeadSetup software, a flaw allowed for false certificates to be installed while appearing legitimate, giving way to man-in-the-middle attacks.
A flaw in Sennheiser's HeadSetup software that works with the company's headphones has been discovered that allows for man-in-the-middle attacks to be carried out. German consulting firm Secorvo has published a vulnerability report and Sennheiser has updated its software to eliminate the threat.
The vulnerability in question occurs because the software was installing a root certificate and an encrypted private key to the Trusted Root CA Certificate store. By doing so, a spoofed certificate could be generated and appear as a valid certificate to end users. Connecting to HTTPS sites would still show a secure connection, even though a malicious entity could gain access to any data transmitted.
In HeadSetup and HeadSetup Pro, the vulnerable certificates will no longer be installed. Sennheiser has published a script that will remove affected certificates from affected computers as well as a guide using Active Directory and Group Policy Editor to achieve the same result.
Not unlike Lenovo's Superfish software, Sennheiser's mistake leaves users open to the same type of forgery attack. The main difference though is that Sennheiser is not abusing the flaw, it was simply an unknown security issue.
To make matters worse, browsers such as Google Chrome will not detect forged certificates that are linked with correctly installed root certificates. Certificate pinning is a known type of attack that is mitigated by modern browsers, but does not work in this case because the chain of trust does not appear broken at any step.
Both Windows and MacOS users are believed to be affected by the issue, but the solutions are already available. If using Sennheiser's HeadSetup or HeadSetup Pro software, update it immediately to the latest version.