Bad motherboard firmware on the blade may expose your laptop to malware! | Razer Insider

Bad motherboard firmware on the blade may expose your laptop to malware!


Just so people know before they read this, I love Razer and have always supported them but this is serious stuff. If this is a fixed problem feel free to delete this post but if it is not then this needs to be known for the safety of Razer users.

A report is showing that razer blades are vulnerable to CVE-2018-4251 which may allow malware with admin perms access to the system's firmware, this is very risky as it allows the malware to save itself in the BIOS so that even full wipes won't get rid of it and it would evade any anti-virus detection as well.

The CVE-2018-4251 weakness was documented in public last June, after bug-hunters spotted that some Apple machines shipped with Intel's Management Engine (ME) manufacturing mode left enabled, rather than disabled. System builders are supposed to write their core firmware to the motherboard flash then disable manufacturing mode.


Last October apple quickly moved to fix this with a security update and if fox is to be believed then your machine could be affected. Apparently when FOX contacted Razer they declined to acknowledge this and put out a fix.



Source: https://www.theregister.co.uk/2019/04/03/razer_laptop_flaw/

This topic has been closed for comments

19 Replies

This showed up today on TheRegister.co.uk as well - https://www.theregister.co.uk/2019/04/03/razer_laptop_flaw/. It is very serious, as it allows a takeover that is impossible to defeat by even heroic measures - the bios would have to be wiped and rewritten, which this flaw allows malware to block with Boot Guard. In other words, it will never be secure again. Nice. Just don't get infected...

As much as I like my 2017 Blade I have serious concerns about Razer's support. They are obviously heavily invested in keeping up with the latest technology with new gear to sell but quickly abandon even the most recent generations. (Consider the non-support for older devices in Synapse v3.) It has been a year since the last update (for Meltdown and Spectre), and that was just 6 months after I bought it. The CEO announced plans to support Linux about the time I bought my Blade - and absolutely nothing has happened since. It's a good thing that there is an active community that is finding solutions to porting problems but it would be a lot better with the promised corporate support. Last year one of the rubber cushion strips on the bottom came off; customer service promised to let me know when they would be back in stock. Fat chance. I contacted them again a short while ago and at this point I don't expect to ever see a replacement. For a $2k laptop this is unacceptable.

I really hope Razer gets out a fix for this vulnerability soon. On past performance I am skeptical. Fortunately there are increasingly more good choices when it comes time to replace. Vendors need to earn their return customers...
@SaltySailor YES! I completely agree, hope they fix this soon.

Also that is the source I used, I wrote it at the bottom of my thread:smile_:.
Are there any news regarding to this? Has anyone opened a support ticket?

This could easily be fixed by a ROM update; it would be nice to hear from Razer to know if all systems are effectively affected.

I will open a ticket now

Note: there's an update in the thread posted by @EggsLeggs that includes a supposed fix.
I'm not going to execute anything that I get from any site at this point 🙂 I'll talk to Razer first

So they are admitting there is a problem with currently shipping models, but no mention of previous models? This is what is driving me nuts about Razer: I love the hardware but they abandon their products too quickly. I hope I am wrong about it this time... And I agree: no downloading of new bios f/w from anyone but Razer; it's just too risky.
Hey! i have updates. I have contacted support, they supplied this document:

https://dl.razer.com/manuals/B56H1234F122.5/Razer%20Blade%20Intel%20ME%20Firmware%20Update%20Instructions%20for%20HFB5B6.pdf

Inside the document you can find a link to the IME updater. However, I tried to execute it and update my firmware, but the program hangs. It hangs in the middle of the process (see attach).

The keyboard and mouse are disconnected during the process. Apparently this is done by the program so you cannot do anything during the process. It was spooky, at first I thought that it had bricked my computer but I could still see notifications and CTRL+ALT+DEL responds.

I logged off, per support recommendation, and everything is still working. I'm talking to support to try to debug the problem.

Note: the press already released that there's an fix - https://www.techspot.com/news/79557-razer-issues-fix-well-known-intel-firmware-vulnerability.html

Last update: I went through a checklist with the support team and I couldn't get this to work. It still hangs.

Support is asking me to do a full laptop reset. I'm not going to do that right now, it takes a lot of time that I don't have at the present. Also, I need my laptop to work.

If I have to, I'll probably do it in a few weeks. Hopefully more people will be experiencing this and they will have to fix it.

Please let me know if you try the patch and what is your outcome.
Anyone else who tried to apply the patch?
Well not a great introduction to Razer...

Razer should really take security vulnerabilities a bit more seriously.

This week I got my new Blade 14” (2017) - Intel 7700HQ - GTX1060. Obviously the first thing I do is to get caught up with the system updates, because we're in 2019 now. I followed the link from that support page and the PDF has me download RazerUpdater_v1.1.1.0-ME.exe - it's the one that @diegoesp is referring to.

After applying that patch, curiosity had me wanting to check that my new version of the ME firmware is safe. I download an official tool from Intel... which tells me my system is still vulnerable! https://www.intel.com/content/www/us/en/support/articles/000025619.html

The Register article had my hopes up, linking to RazerUpdater_v1.1.1.0-ME mode-v2.exe, except I am fairly certain that's not compatible because I looked inside the archive and the torden.ini file doesn't list my model number RZ09-01953 - whereas the first one that is actually intended for my Blade, does. So while I could probably figure out how to force it to install, that might not be such a good idea.

Maybe there's a kind of silver lining, as the Register describes:

As we already stated, exploiting this bug would require the aggressor to have local admin-level access to the machine, and if a miscreant is running privileged code on your PC, there are about a thousand other things you'll want to worry about before considering the integrity of your mobo firmware

So maybe I'll be OK...
The thing is not looking good for now. I have executed the patch several times but it stucks in the middle. Support has suggested me to do a factory reset, but my machine is fresh (I formatted like a couple of months ago) and running windows 1809. I find hard to believe that is the issue.

So after a few days they got back to me, asked me a couple of things and never resumed conversation. So... I assume they're looking around trying to solve the issue 😞
Razer really have not got on top of this...

So the question is, do we think I should RMA while I still can, while I am still well within 14 days of purchase? I doubt Razer is going to do anything in the next week that will actually fix the issue 😧

Even after that update, dated 29 Apr 2019 07:31 AM, both Intel Detection tools for ME firmware vulnerabilities still report the system is vulnerable:

And these are from more than 6 months ago.

Razer hardware is pricey so unresolved security vulnerabilities are the last thing I'd expect 😠

EDIT: Tracked down a newer Intel ME firmware update from Razor's Reddit: https://www.reddit.com/r/razer/comments/7os8l3/ntelsa00086_intel_management_engine_critical/

It updates Intel ME firmware to 11.8.50.3425, from I think it was 11.6...something.

INTEL-SA-00086-Detection-Tool now comes back green: "This system is not vulnerable. It has already been patched"

But Intel-SA-00125-Detection-Tool still says vulnerable.

There is probably a further update out there somewhere... Arrgh. It should not be up to me to track down updates. Razor should be updating their support pages!
Damn. You should write to [email]systems@razersupport.com[/email]. Maybe they cand lend you a hand? 😛
Userlevel 7
Okay i will change the Tag to support then. Hope staff would address this ASAP for you guys.
Well, in case you are interested @diegoesp, @EggsLeggs, @SaltySailor. This one is for you. Sorry for a slightly long post but seeing as this is a basically a farewell post, I want to thank you all

TL;DR: Totally relate to what you're saying, @EggsLeggs. I'm seriously getting spooked (no Spectre-related puns intended). Spooked by Razer's level of quality control and apparently abysmal customer service. So I'm probably going to RMA while I still can.

It's a shame because I think the specs are great and I'm happy with the keyboard. But if I ever have a problem, I think I'm going to be in for a world of hassle dealing with Razer. For the price, I'm expecting a certain level of service and the horror stories I'm seeing everywhere don't exactly reassure me.

Now that I think about it, I am a bit horrified that Razer would ship a new laptop to me without first fixing such a serious security vulnerability - and then having done that, not making all the necessary updates readily available.

@RazorSupport picked up on my reply to that tweet from fox8091 and had me DM them. Here's what they replied to my (attached) DM:

We appreciate that you have brought this to our attention. We definitely take security concerns seriously. We've notified our Support Team about this. Please allow them to contact you back within 12-24 hours via as they need to coordinate with a relevant team. We will forward this as feedback so we can continuously improve our products and service as well.

Monday is a public holiday (bank holiday) so I'm concerned that this is stalling that will take me past 14 days and prevent me getting a refund.

I'd already had a useless reply from "Jayson" at [email]systems-eu@razersupport.com[/email] telling to update my firmware with RazerUpdater_v1.1.1.0-ME.exe, which I'd already done - and btw, checking with Intel's detection tools, it shows that update doesn't actually resolve the vulnerability.
Userlevel 6
dafuloth
Razer really have not got on top of this...

So the question is, do we think I should RMA while I still can, while I am still well within 14 days of purchase? I doubt Razer is going to do anything in the next week that will actually fix the issue 😧

Even after that update, dated 29 Apr 2019 07:31 AM, both Intel Detection tools for ME firmware vulnerabilities still report the system is vulnerable:

And these are from more than 6 months ago.

Razer hardware is pricey so unresolved security vulnerabilities are the last thing I'd expect 😠

EDIT: Tracked down a newer Intel ME firmware update from Razor's Reddit: https://www.reddit.com/r/razer/comments/7os8l3/ntelsa00086_intel_management_engine_critical/

It updates Intel ME firmware to 11.8.50.3425, from I think it was 11.6...something.

INTEL-SA-00086-Detection-Tool now comes back green: "This system is not vulnerable. It has already been patched"

But Intel-SA-00125-Detection-Tool still says vulnerable.

There is probably a further update out there somewhere... Arrgh. It should not be up to me to track down updates. Razor should be updating their support pages!



Hi there, @dafuloth! Can you send over the case number over to me through PM? I'd like to check out the issue regarding the Intel-SA-00125. You can use this link. I'll pick it up from there.
I was traveling for the last couple of weeks. Now i'm back so I will continue dealing with this. Any news whatsoever?
Hi! I'm channeling this through systems@. Is that OK?

Thanks
It got moved to the support tag and then redpanda said he'll look into it. Still hasn't been fixed as far as I know and new vulnerabilities like spectrum obv hasn't been fixed because they haven't found an easy way to do so yet-that's more on intel's side I think. @diegoesp
Looks like things have improved a bit. Just took two months...

The support page has had a whole load of new security patches added to it: https://support.razer.com/gaming-laptops/razer-blade/

A couple didn't work for me though:

  • Infineon Trusted Platform Module (TPM) / INTEL-SA-00104 - I disabled TPM as instructed, and when it said something along the lines of no TPM detected I tried it with TPM enabled but same error message


  • Intel MDS/Zombieload/Rouge In-Flight Data Load (RIDL)/Fallout (Release Date: 31/5/2019), is the second BIOS update - earlier one updates to v5.00, this one to v5.01 - but get "AFUWINx64.exe has stopped working" and the updater freezes with progress bar not quite at the end

I didn't RMA because I actually needed the laptop - insecure working laptop is better than no laptop at all. Glad that Razer finally appears to be taking security seriously
I did the updates last week. All of them went well. I went from top to bottom, and IIRC one of them did nothing because an earlier one had covered it, but otherwise it looked good. About time, but appreciated.
Just went through all patches in here => https://support.razer.com/gaming-laptops/razer-blade-v5/
Wanted to share my experience.

I was able to to install all of them except for "Manufacturing Mode" (CVE-2018-4251). When I try to install it the progress bar starts moving and then the updater app force closes. I've contacted support and they tried a couple of workarounds but no success. They suggested me to reset the laptop but I will not do that, since it takes lot of time and effort and it is not likely to fix the problem, probably they're suggesting per process. I've told them that and that I will wait for a few months before considering it, maybe they will find a fix during that period.

While the laptop is still working, one very unfortunate side effect of the patching is that sleep is not working as expected anymore. Every time I try to put the laptop to sleep it hangs, it is not possible to turn it on again, I've got to do a force shutdown to get it back working. I'm debugging that with system support now.

All in all, while the patches do not look like they can cause a catastrophic failure to your system, I'd suggest you do not update and wait. It looks flaky, at least for now.