Moderate 📢 Publicly disclosed 2018-11 archive

Executive Summary

Microsoft is publishing this advisory to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication. More details are here: Certificate Management Vulnerability in Sennheiser HeadSetup and the CVE is here: CVE-2018-17612 . The certificates were inadvertently disclosed by the Sennheiser HeadSetup and HeadSetup Pro software. Customers who installed this software may be vulnerable, and should visit HeadSetup Update for an updated version of the HeadSetup & HeadSetup Pro software. As a precaution, Microsoft has updated the Certificate Trust List to remove user-mode trust for these certificates. Customers who have not installed Sennheiser HeadSetup software have no action to take to be protected. Customers who have installed Sennheiser HeadSetup software should update that software via the links above.

Overview

Moderate
MS Severity
Not Exploited
MS Exploit Status
Not Found
MS Exploit Likelihood
Category Spoofing
Released Nov 13 2018
Last Updated Nov 13 2018
Publicly Disclosed Yes
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Known Exploits

Acknowledgments

None