Razer's Synapse hit by root certificate vulnerability

July 10, 2019 | 10:56

Tags: #chroma #flaw #insecurity #root-certificate #security #synapse #vulnerability

Companies: #hackerone #razer

An anonymous security researcher has warned of a security certificate vulnerability in Razer's Synapse software, partially resolved in a recent update but still giving the company the ability to perform man-in-the-middle (MITM) attacks on customers' encrypted network traffic at will.

The software side of Razer's gaming peripheral and RGB lighting ecosystem, Synapse is a must-install tool for managing its various products. Unfortunately, a security researcher who has chosen to remain anonymous has discovered a serious flaw in the software: The installation of a root security certificate, complete with private key, which can be extracted and used to attack any other system with the Synapse software installed.

'On Windows, Razer Synapse 3 installs an optional component - the Razer Chroma SDK - by default. This component installs a root certificate - with the private key - which is the same across installs,' the researcher explains in a public notification to the Full Disclosure mailing list. 'This key is extractable on Windows hosts, and can subsequently be used to launch SSL/MITM attacks against other Razer Synapse users. Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many Razer products - such as the Stealth and Blade laptops - many of these consumer laptops came shipped with this root certificate already installed, and are vulnerable out of the box.'

While Razer has not engaged directly with the researcher, it has confirmed through bug bounty platform HackerOne that the certificate has been switched out as of Chroma SDK Core 3.4.3 - the currently-shipping version. The researcher notes, however, that it's only partially resolved: 'These versions still install a root certificate with private key - and are thus able to MITM local TLS network traffic and undermine other local cryptographic operations - but the certificate is now generated per-install.'

Concerned Razer Synapse users can visit razerfish.org in a browser which relies on the Windows certificate store - such as Chrome or Edge - to confirm whether they have the shared root certificate installed. If no error appears in the browser, the certificate needs to be removed either by finding the 'Razer Chroma SDK' certificate in the Trusted Root Certification Authorities store or by upgrading to the latest release of Synapse - uninstalling the software, meanwhile, may leave the certificate behind.

Razer has not commented publicly on the vulnerability.

UPDATE 20190718:

Razer has issued the following statement downplaying the risk of the patched release's per-machine certificate outlined by the original security researcher. 'The root certificate is bound to the identity of the user’s machine so any browser would reject it as insecure if it were copied and used to identify a website by any party.  To create a spoofing scenario (like the one you outlined), a malicious party would first need to obtain the private key from the root certificate, then create a new certificate to leverage the chain of trust.  To obtain the root certificate’s private key (which has been made unique in the patched version of Synapse), the malicious party would need local administrative access to the user’s system.  If the malicious party has local administrative access, he is already within the trust level of the machine, in which case it is redundant to create a spoofing scenario to steal the customer’s information.'

Asked whether the presence of the certificate would allow Razer to carry out man-in-the-middle attacks against traffic from non-Razer software, rather than a theoretical 'malicious party,' the company responded: 'As for our use of customer data, Razer follows the data practices outlined in our Terms of Service and Privacy Policy.  We observe the requirements of compliance for GDPR as well as all other applicable laws.'

At the time of writing, Razer's Synapse software still installed the per-machine root certificate into the Windows Certificate Store.

Discuss this in the forums
Aquaceras Part 10 - Making Custom DDC Heatsinks

February 26 2021 | 22:15