Sennheiser's HeadSetup and HeadSetup Pro applications added two Certification Authority (CA) certificates into the local system's Trusted Root CA store which exposed the users to spoofing attacks.
The attack resides in a handling error of the disclosed digital root certificates which can be used by remote attackers to issue their own certificates for server authentication and code signing.
Secorvo Security Consulting GmbH discovered the CVE-2018-17612 security issue caused by a critical implementation flaw which allows a potential attacker to obtain "the secret signing key of one of the clandestine planted root certificates."
After being informed about the security issue, Sennheiser started working on a patch for the HeadSetup software which should mitigate the bug, however, they haven't yet provided a fix.
Moreover, according to Secorvo, an updated version of HeadSetup which removes the disclosed root certificates will be released by Sennheiser at the end of November.
Secorvo provides mitigation measures for this security issue in their report
In order to allow HeadSetup users to protect themselves from this spoofing attack, Secorvo published a report with detailed information about the vulnerability, as well as a list of recommended mitigations.
The steps needed to mitigate the issue by end users are listed in Secorvo's vulnerability report in the "Risk Mitigation by Users" chapter which explains how to "remove the CA certificates added by the older and/or newer HeadSetup versions from the trusted root certificate store of their machine."
Sennheiser also provides a batch file which allows end users to remove the Sennheiser Communication certificates (ZIP) installed by the HeadSetup apps.
Microsoft published an advisory addressing this vulnerability "to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates."
Microsoft also updated the Certificate Trust List to make sure that the user-mode trust has been removed from the two Certification Authority (CA) certificates installed by Sennheiser's apps in the local system's Trusted Root CA store.