lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANLicVFudPFN4TQo6OjRGnFRm=kYTz6vF2_T-mXWWZH7PSOAUw@mail.gmail.com>
Date: Mon, 8 Jul 2019 10:25:55 -0700
From: No One <anon581923@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Razer Synapse 3,
 Laptops Ship with Re-used Root Certificate with Private Key

Razer is a company that produces gaming-centric computer peripherals,
laptops, desktops, and mobile phones.  Many of their products allow for
rich customization of device lighting effects.  These features are managed
by a client application called Synapse.

On Windows, Razer Synapse 3 installs an optional component - the Razer
Chroma SDK - by default.  This component installs a root certificate - with
the private key - which is the same across installs. This key is
extractable on Windows hosts, and can subsequently be used to launch
SSL/MITM attacks against other Razer Synapse users.

Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many
Razer products - such as the Stealth and Blade laptops - many of these
consumer laptops came shipped with this root certificate already installed,
and are vulnerable out of the box.

This flaw impacts Razer Synapse 3 versions 1.0.103.136 build
3.4.0415.04181, and may impact older versions.

Some Synapse 3 versions available publicly through May and June of 2019
were not tested and may be impacted as well.

This flaw appears to have been addressed by a fix in Razer Chroma SDK Core
3.4.3, and also appears to be addressed in the latest version of Synapse 3
available on Razer's website at https://www.razer.com/synapse-3 which
installs version 1.0.103.136, build 3.4.0630.062510

These versions still install a root certificate with private key - and are
thus able to MITM local TLS network traffic and undermine other local
cryptographic operations - but the certificate is now generated per-install.

Users can confirm whether or not they're impacted by checking for the
following certificate in their Windows "Trusted Root Certification
Authorities" Store:

Common Name: Razer Chroma SDK

Thumbprint: 043eaddad0a8fbeeac75689b5b1425d90c247218

Valid from May 13, 2018 to May 10, 2028

Users can also test whether they're vulnerable by visiting
https://razerfish.org in either Chrome or Edge.  Impacted systems will not
encounter an SSL error when navigating to this website, which has an SSL
certificate signed with the re-used certificate.

End users who updated Synapse 3 appropriately may no longer be impacted.
However, users who haven't updated - or who may have removed the Chroma SDK
in non-standard ways - may still be at risk.  Similarly, many consumer
devices may be vulnerable immediately after purchase depending on their
manufacture/ship date.

Users can mitigate this risk independently by removing the above named
certificate, or downloading the latest version of Synapse 3 and confirming
that it properly removes this certificate.

*Reporting Coordination/Timeline*

This vulnerability was reported to Razer via HackerOne on Mar 20th, 2019.
There hasn't been any substantial communication from the Razer team about
their preferences on disclosure since a tentative fix was tested in April.

Given the limited response, and since an update alone isn't guaranteed to
mitigate this issue for all Razer consumers, I've opted to publish this
publicly after three requests for guidance from Razer.

March 20th - Issue reported on HackerOne

March 25th - HackerOne forwards issue to Razer

April 30th - HackerOne requests confirmation of fix in Chroma SDK Core
3.4.3, fix confirmed

May 1st - HackerOne/Razer acknowledge an initial request for public
disclosure, say they'll look into it

May 15th - HackerOne says they've not heard back from Razer

May 31st - Requested disclosure on 90-day mark/June 20th, HackerOne says
they're still waiting on an update from Razer

June 27th - Requested update on case, propose disclosure on July 8th

July 8th - No response from HackerOne or Razer, posted to FD

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ