The Razer Chroma SDK installs with a root certificate that also includes its private key. This flaw impacts Razer Synapse 3 versions 1.0.103.136 build 3.4.0415.04181, and may impact older versions.
87e97b329881cde3f9618ebfb8e669baRazer is a company that produces gaming-centric computer peripherals,
laptops, desktops, and mobile phones. Many of their products allow for
rich customization of device lighting effects. These features are managed
by a client application called Synapse.
On Windows, Razer Synapse 3 installs an optional component - the Razer
Chroma SDK - by default. This component installs a root certificate - with
the private key - which is the same across installs. This key is
extractable on Windows hosts, and can subsequently be used to launch
SSL/MITM attacks against other Razer Synapse users.
Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many
Razer products - such as the Stealth and Blade laptops - many of these
consumer laptops came shipped with this root certificate already installed,
and are vulnerable out of the box.
This flaw impacts Razer Synapse 3 versions 1.0.103.136 build
3.4.0415.04181, and may impact older versions.
Some Synapse 3 versions available publicly through May and June of 2019
were not tested and may be impacted as well.
This flaw appears to have been addressed by a fix in Razer Chroma SDK Core
3.4.3, and also appears to be addressed in the latest version of Synapse 3
available on Razer's website at https://www.razer.com/synapse-3 which
installs version 1.0.103.136, build 3.4.0630.062510
These versions still install a root certificate with private key - and are
thus able to MITM local TLS network traffic and undermine other local
cryptographic operations - but the certificate is now generated per-install.
Users can confirm whether or not they're impacted by checking for the
following certificate in their Windows "Trusted Root Certification
Authorities" Store:
Common Name: Razer Chroma SDK
Thumbprint: 043eaddad0a8fbeeac75689b5b1425d90c247218
Valid from May 13, 2018 to May 10, 2028
Users can also test whether they're vulnerable by visiting
https://razerfish.org in either Chrome or Edge. Impacted systems will not
encounter an SSL error when navigating to this website, which has an SSL
certificate signed with the re-used certificate.
End users who updated Synapse 3 appropriately may no longer be impacted.
However, users who haven't updated - or who may have removed the Chroma SDK
in non-standard ways - may still be at risk. Similarly, many consumer
devices may be vulnerable immediately after purchase depending on their
manufacture/ship date.
Users can mitigate this risk independently by removing the above named
certificate, or downloading the latest version of Synapse 3 and confirming
that it properly removes this certificate.
*Reporting Coordination/Timeline*
This vulnerability was reported to Razer via HackerOne on Mar 20th, 2019.
There hasn't been any substantial communication from the Razer team about
their preferences on disclosure since a tentative fix was tested in April.
Given the limited response, and since an update alone isn't guaranteed to
mitigate this issue for all Razer consumers, I've opted to publish this
publicly after three requests for guidance from Razer.
March 20th - Issue reported on HackerOne
March 25th - HackerOne forwards issue to Razer
April 30th - HackerOne requests confirmation of fix in Chroma SDK Core
3.4.3, fix confirmed
May 1st - HackerOne/Razer acknowledge an initial request for public
disclosure, say they'll look into it
May 15th - HackerOne says they've not heard back from Razer
May 31st - Requested disclosure on 90-day mark/June 20th, HackerOne says
they're still waiting on an update from Razer
June 27th - Requested update on case, propose disclosure on July 8th
July 8th - No response from HackerOne or Razer, posted to FD