Razer's Synapse hit by root certificate vulnerability

July 10, 2019 | 10:56

Tags: #chroma #flaw #insecurity #root-certificate #security #synapse #vulnerability

Companies: #hackerone #razer

An anonymous security researcher has warned of a security certificate vulnerability in Razer's Synapse software, partially resolved in a recent update but still giving the company the ability to perform man-in-the-middle (MITM) attacks on customers' encrypted network traffic at will.

The software side of Razer's gaming peripheral and RGB lighting ecosystem, Synapse is a must-install tool for managing its various products. Unfortunately, a security researcher who has chosen to remain anonymous has discovered a serious flaw in the software: The installation of a root security certificate, complete with private key, which can be extracted and used to attack any other system with the Synapse software installed.

'On Windows, Razer Synapse 3 installs an optional component - the Razer Chroma SDK - by default. This component installs a root certificate - with the private key - which is the same across installs,' the researcher explains in a public notification to the Full Disclosure mailing list. 'This key is extractable on Windows hosts, and can subsequently be used to launch SSL/MITM attacks against other Razer Synapse users. Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many Razer products - such as the Stealth and Blade laptops - many of these consumer laptops came shipped with this root certificate already installed, and are vulnerable out of the box.'

While Razer has not engaged directly with the researcher, it has confirmed through bug bounty platform HackerOne that the certificate has been switched out as of Chroma SDK Core 3.4.3 - the currently-shipping version. The researcher notes, however, that it's only partially resolved: 'These versions still install a root certificate with private key - and are thus able to MITM local TLS network traffic and undermine other local cryptographic operations - but the certificate is now generated per-install.'

Concerned Razer Synapse users can visit razerfish.org in a browser which relies on the Windows certificate store - such as Chrome or Edge - to confirm whether they have the shared root certificate installed. If no error appears in the browser, the certificate needs to be removed either by finding the 'Razer Chroma SDK' certificate in the Trusted Root Certification Authorities store or by upgrading to the latest release of Synapse - uninstalling the software, meanwhile, may leave the certificate behind.

Razer has not commented publicly on the vulnerability.

Discuss this in the forums
Mod of the Month June 2019 in Association with Corsair

July 11 2019 | 15:40