what you don't know can hurt you

Razer Chroma SDK Private Key Disclosure

Razer Chroma SDK Private Key Disclosure
Posted Jul 9, 2019

The Razer Chroma SDK installs with a root certificate that also includes its private key. This flaw impacts Razer Synapse 3 versions 1.0.103.136 build 3.4.0415.04181, and may impact older versions.

tags | advisory, root, info disclosure
MD5 | 87e97b329881cde3f9618ebfb8e669ba

Razer Chroma SDK Private Key Disclosure

Change Mirror Download
Razer is a company that produces gaming-centric computer peripherals,
laptops, desktops, and mobile phones. Many of their products allow for
rich customization of device lighting effects. These features are managed
by a client application called Synapse.

On Windows, Razer Synapse 3 installs an optional component - the Razer
Chroma SDK - by default. This component installs a root certificate - with
the private key - which is the same across installs. This key is
extractable on Windows hosts, and can subsequently be used to launch
SSL/MITM attacks against other Razer Synapse users.

Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many
Razer products - such as the Stealth and Blade laptops - many of these
consumer laptops came shipped with this root certificate already installed,
and are vulnerable out of the box.

This flaw impacts Razer Synapse 3 versions 1.0.103.136 build
3.4.0415.04181, and may impact older versions.

Some Synapse 3 versions available publicly through May and June of 2019
were not tested and may be impacted as well.

This flaw appears to have been addressed by a fix in Razer Chroma SDK Core
3.4.3, and also appears to be addressed in the latest version of Synapse 3
available on Razer's website at https://www.razer.com/synapse-3 which
installs version 1.0.103.136, build 3.4.0630.062510

These versions still install a root certificate with private key - and are
thus able to MITM local TLS network traffic and undermine other local
cryptographic operations - but the certificate is now generated per-install.

Users can confirm whether or not they're impacted by checking for the
following certificate in their Windows "Trusted Root Certification
Authorities" Store:

Common Name: Razer Chroma SDK

Thumbprint: 043eaddad0a8fbeeac75689b5b1425d90c247218

Valid from May 13, 2018 to May 10, 2028

Users can also test whether they're vulnerable by visiting
https://razerfish.org in either Chrome or Edge. Impacted systems will not
encounter an SSL error when navigating to this website, which has an SSL
certificate signed with the re-used certificate.

End users who updated Synapse 3 appropriately may no longer be impacted.
However, users who haven't updated - or who may have removed the Chroma SDK
in non-standard ways - may still be at risk. Similarly, many consumer
devices may be vulnerable immediately after purchase depending on their
manufacture/ship date.

Users can mitigate this risk independently by removing the above named
certificate, or downloading the latest version of Synapse 3 and confirming
that it properly removes this certificate.

*Reporting Coordination/Timeline*

This vulnerability was reported to Razer via HackerOne on Mar 20th, 2019.
There hasn't been any substantial communication from the Razer team about
their preferences on disclosure since a tentative fix was tested in April.

Given the limited response, and since an update alone isn't guaranteed to
mitigate this issue for all Razer consumers, I've opted to publish this
publicly after three requests for guidance from Razer.

March 20th - Issue reported on HackerOne

March 25th - HackerOne forwards issue to Razer

April 30th - HackerOne requests confirmation of fix in Chroma SDK Core
3.4.3, fix confirmed

May 1st - HackerOne/Razer acknowledge an initial request for public
disclosure, say they'll look into it

May 15th - HackerOne says they've not heard back from Razer

May 31st - Requested disclosure on 90-day mark/June 20th, HackerOne says
they're still waiting on an update from Razer

June 27th - Requested update on case, propose disclosure on July 8th

July 8th - No response from HackerOne or Razer, posted to FD


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close