Razer Chroma SDK Private Key Disclosure

2019.07.09
Credit: Anonymous
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Razer is a company that produces gaming-centric computer peripherals, laptops, desktops, and mobile phones. Many of their products allow for rich customization of device lighting effects. These features are managed by a client application called Synapse. On Windows, Razer Synapse 3 installs an optional component - the Razer Chroma SDK - by default. This component installs a root certificate - with the private key - which is the same across installs. This key is extractable on Windows hosts, and can subsequently be used to launch SSL/MITM attacks against other Razer Synapse users. Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many Razer products - such as the Stealth and Blade laptops - many of these consumer laptops came shipped with this root certificate already installed, and are vulnerable out of the box. This flaw impacts Razer Synapse 3 versions 1.0.103.136 build 3.4.0415.04181, and may impact older versions. Some Synapse 3 versions available publicly through May and June of 2019 were not tested and may be impacted as well. This flaw appears to have been addressed by a fix in Razer Chroma SDK Core 3.4.3, and also appears to be addressed in the latest version of Synapse 3 available on Razer's website at https://www.razer.com/synapse-3 which installs version 1.0.103.136, build 3.4.0630.062510 These versions still install a root certificate with private key - and are thus able to MITM local TLS network traffic and undermine other local cryptographic operations - but the certificate is now generated per-install. Users can confirm whether or not they're impacted by checking for the following certificate in their Windows "Trusted Root Certification Authorities" Store: Common Name: Razer Chroma SDK Thumbprint: 043eaddad0a8fbeeac75689b5b1425d90c247218 Valid from May 13, 2018 to May 10, 2028 Users can also test whether they're vulnerable by visiting https://razerfish.org in either Chrome or Edge. Impacted systems will not encounter an SSL error when navigating to this website, which has an SSL certificate signed with the re-used certificate. End users who updated Synapse 3 appropriately may no longer be impacted. However, users who haven't updated - or who may have removed the Chroma SDK in non-standard ways - may still be at risk. Similarly, many consumer devices may be vulnerable immediately after purchase depending on their manufacture/ship date. Users can mitigate this risk independently by removing the above named certificate, or downloading the latest version of Synapse 3 and confirming that it properly removes this certificate. *Reporting Coordination/Timeline* This vulnerability was reported to Razer via HackerOne on Mar 20th, 2019. There hasn't been any substantial communication from the Razer team about their preferences on disclosure since a tentative fix was tested in April. Given the limited response, and since an update alone isn't guaranteed to mitigate this issue for all Razer consumers, I've opted to publish this publicly after three requests for guidance from Razer. March 20th - Issue reported on HackerOne March 25th - HackerOne forwards issue to Razer April 30th - HackerOne requests confirmation of fix in Chroma SDK Core 3.4.3, fix confirmed May 1st - HackerOne/Razer acknowledge an initial request for public disclosure, say they'll look into it May 15th - HackerOne says they've not heard back from Razer May 31st - Requested disclosure on 90-day mark/June 20th, HackerOne says they're still waiting on an update from Razer June 27th - Requested update on case, propose disclosure on July 8th July 8th - No response from HackerOne or Razer, posted to FD


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top