exploit the possibilities

Razer Chroma SDK Private Key Disclosure

Razer Chroma SDK Private Key Disclosure
Posted Jul 9, 2019

The Razer Chroma SDK installs with a root certificate that also includes its private key. This flaw impacts Razer Synapse 3 versions 1.0.103.136 build 3.4.0415.04181, and may impact older versions.

tags | advisory, root, info disclosure
MD5 | 87e97b329881cde3f9618ebfb8e669ba

Razer Chroma SDK Private Key Disclosure

Change Mirror Download
Razer is a company that produces gaming-centric computer peripherals,
laptops, desktops, and mobile phones. Many of their products allow for
rich customization of device lighting effects. These features are managed
by a client application called Synapse.

On Windows, Razer Synapse 3 installs an optional component - the Razer
Chroma SDK - by default. This component installs a root certificate - with
the private key - which is the same across installs. This key is
extractable on Windows hosts, and can subsequently be used to launch
SSL/MITM attacks against other Razer Synapse users.

Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many
Razer products - such as the Stealth and Blade laptops - many of these
consumer laptops came shipped with this root certificate already installed,
and are vulnerable out of the box.

This flaw impacts Razer Synapse 3 versions 1.0.103.136 build
3.4.0415.04181, and may impact older versions.

Some Synapse 3 versions available publicly through May and June of 2019
were not tested and may be impacted as well.

This flaw appears to have been addressed by a fix in Razer Chroma SDK Core
3.4.3, and also appears to be addressed in the latest version of Synapse 3
available on Razer's website at https://www.razer.com/synapse-3 which
installs version 1.0.103.136, build 3.4.0630.062510

These versions still install a root certificate with private key - and are
thus able to MITM local TLS network traffic and undermine other local
cryptographic operations - but the certificate is now generated per-install.

Users can confirm whether or not they're impacted by checking for the
following certificate in their Windows "Trusted Root Certification
Authorities" Store:

Common Name: Razer Chroma SDK

Thumbprint: 043eaddad0a8fbeeac75689b5b1425d90c247218

Valid from May 13, 2018 to May 10, 2028

Users can also test whether they're vulnerable by visiting
https://razerfish.org in either Chrome or Edge. Impacted systems will not
encounter an SSL error when navigating to this website, which has an SSL
certificate signed with the re-used certificate.

End users who updated Synapse 3 appropriately may no longer be impacted.
However, users who haven't updated - or who may have removed the Chroma SDK
in non-standard ways - may still be at risk. Similarly, many consumer
devices may be vulnerable immediately after purchase depending on their
manufacture/ship date.

Users can mitigate this risk independently by removing the above named
certificate, or downloading the latest version of Synapse 3 and confirming
that it properly removes this certificate.

*Reporting Coordination/Timeline*

This vulnerability was reported to Razer via HackerOne on Mar 20th, 2019.
There hasn't been any substantial communication from the Razer team about
their preferences on disclosure since a tentative fix was tested in April.

Given the limited response, and since an update alone isn't guaranteed to
mitigate this issue for all Razer consumers, I've opted to publish this
publicly after three requests for guidance from Razer.

March 20th - Issue reported on HackerOne

March 25th - HackerOne forwards issue to Razer

April 30th - HackerOne requests confirmation of fix in Chroma SDK Core
3.4.3, fix confirmed

May 1st - HackerOne/Razer acknowledge an initial request for public
disclosure, say they'll look into it

May 15th - HackerOne says they've not heard back from Razer

May 31st - Requested disclosure on 90-day mark/June 20th, HackerOne says
they're still waiting on an update from Razer

June 27th - Requested update on case, propose disclosure on July 8th

July 8th - No response from HackerOne or Razer, posted to FD


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close