CVE-2018-17612

Name of the Vulnerable Software and Affected Versions Sennheiser HeadSetup version 7.3.4903

Description The issue allows remote attackers to spoof arbitrary web sites or software publishers by utilizing Certification Authority (CA) certificates placed in the Trusted Root CA store of the local system. The private key is published in the SennComCCKey.pem file within the public software distribution. This could enable spoofing even after the HeadSetup product is uninstalled. A vulnerability assessment should check for unwanted CA certificates with a CN of 127.0.0.1 or SennComRootCA on all Windows systems.

Recommendations For Sennheiser HeadSetup version 7.3.4903, remove any unwanted CA certificates with a CN of 127.0.0.1 or SennComRootCA from the Trusted Root CA store to prevent spoofing. As a temporary workaround, consider restricting access to the SennComCCKey.pem file until a patch is available.