Razer Synapse 3 LibWebP vulnerabilities (CVE-2023-1999 & CVE-2023-4863) | Razer Insider
Question

Razer Synapse 3 LibWebP vulnerabilities (CVE-2023-1999 & CVE-2023-4863)

  • 25 February 2024
  • 12 replies
  • 1476 views
leetbusVividCerise468
Userlevel 2

Hello,
 

In September 2023, Google published CVE-2023-4863 and CVE-2023-5217 to address vulnerabilities in WebP (a compression format for images on the web) and libvpx (a software video codec library) that may result in remote code execution. The subsequent impact to Microsoft products has been documented in the Security Update Guide and the MSRC blog. Google is aware that exploits exist for both vulnerabilities.


These CVEs are both categorised as High Severity and we are notified that “A verified remote code execution exploit is publicly available for one or more weaknesses related to this recommendation.”

Currently we have 4 machines that appear to have Razer Software installations that have this 3rd party component included and are therefore being flagged as affected by both CVE-2023-4863 and a separate (earlier) WebP vulnerability CVE-2023-1999 (I believe the existence of these 2 vulnerabilities are why all 4 of our affected devices are being flagged as High Risk in our vulnerability monitoring system)

N.B. Our vulnerability monitoring system flags the following 2 files as vulnerable on all 4 devices:

File File Version Affected by CVEs
C:\Windows\Installer\Razer\installer\app\libwebp_x64.dll 1.1.0.0 CVE-2023-1999 & CVE-2023-4863
C:\Windows\Installer\Razer\installer\app\libwebp_x86.dll 1.1.0.0 CVE-2023-1999 & CVE-2023-4863


I believe the existence of these 2 files is caused by the installation of Razer Synapse on these devices, At this stage it is unclear exactly which version(s) are installed on each device – So I will need to check via our software discovery to get a better idea of what app (and version) are installed on each device, failing that I will need to check locally on at least one of our machines to carry out an investigation.

The only reference I can find on the Razer site(s) to the C:\Windows\Installer\Razer\* path is this forum article: https://insider.razer.com/razer-synapse-29/delete-c-windows-installer-razer-over-13gb-45177, however as both the affected LibWebP DLL’s exist below the “C:\Windows\Installer\Razer\installer\app” folder; deleting the affected files does not appear to be an option.

The latest Razer downloads can be found via: https://www.razer.com/gb-en/pc/software, specifically for the Current release of Synapse 3: https://www.razer.com/gb-en/synapse-3
Direct download: https://rzr.to/synapse-3-pc-download for “RazerSynapseInstaller_V1.16.0.543.exe”

Another observation: The installer version numbering has no obvious relationship to the actual product version installed (Installer v1.x.x / Product v3.x.x), so it is unclear if this is a newer version than what the user(s) already have installed.

From my searching I can find no Release Notes of any substance anywhere on the Razer sites (Main site (razer.com) or forum (insider.razer.com), so it is anyone’s guess if updates to this product have had the fixes included by now?
Searching (without quotes) on Google for: “CVE-2023-1999 site:razer.com” returns zero results – Indicating there is no mention of this CVE anywhere on the indexed pages of the Razer site(s).
Searching (without quotes) on Google for: “CVE-2023-4863 site:razer.com” returns zero results – Indicating there is no mention of this CVE anywhere on the indexed pages of the Razer site(s).

 

If it comes to it, a clean re-installation of Razer Synapse could potentially be performed on each device following these instructions: https://mysupport.razer.com/app/answers/detail/a_id/1708
However, Step 8 makes absolutely no mention of the C:\Windows\Installer\Razer\* path, so I’d suspect this would still not resolve the issue.

Can you:

  1. Confirm if these CVEs have already been fixed in a later version of the Razer software (I assume Synapse 3)?
  2. Confirm which version of Synapse 3 we need to have installed to remove thse CVEs?
  3. Confirm which version of the Installer I should use to install the fixed version of Synapse 3?
  4. Confirm where your product Release Notes are published that state where and when this CVE was resolved in your software?
  5. Update your Clean re-installation instructions to detail any other the Razer folders that may need to be removed (e.g. below C:\Windows\Installer\Razer)?
  6. Can you make some major improvements to the manner in which you publish your release notes?so we, as customers of your products(s) know exactly what has been fixed, for what reason and when?
    N.B. This is worth a read: https://www.productplan.com/learn/release-notes-best-practices/

I look forward to your answers as soon as you possibly can, so I can resolve these high severity CVEs from my estate.

 

Thanks in Advance,

Adrian Scott

EUC engineer

12 Replies

leetbusVividCerise468
Userlevel 2

Update:

I have checked via our software discovery to get a better idea of what app (and version) are installed on each device - sadly none of them show any Razer software installed.
So, I have just performed a local investigation on one of our affected devices and there is no evidence of any Razer software installed in Add or Remove programs.
The users device I have checked this morning no-longer uses their Razer device, and it would appear that this software folder is created during a plug and play driver installation.
I have run the following PowerShell command on the users device (in the “C:\Windows\Installer\Razer\” folder):

Get-ChildItem libwebp*.dll,Razer*.dll,RazerInstaller.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename | Format-Table -AutoSize

and these are the results:

ProductVersion FileVersionRaw FileName
-------------- -------------- --------
1.1.0          1.0.1.0        C:\Windows\Installer\Razer\Installer\App\libwebp_x64.dll
1.1.0          1.0.1.0        C:\Windows\Installer\Razer\Installer\App\libwebp_x86.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\de-DE\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\es-ES\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\fr-FR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\ja-JP\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\ko-KR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\pt-BR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\Razer.DetectManagerWrapper.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\Razer.RazerInstallerCommon.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\RazerInstaller.exe
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\ru-RU\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\zh-CHS\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\App\zh-CHT\Razer.RazerInstallerCommon.resources.dll
1.7.0.311      1.7.0.311      C:\Windows\Installer\Razer\Installer\RazerInstaller.exe

So it would appear (in this case) the vulnerable files are placed here as part of the Razer device drivers shipped with v1.7.0.311.

So, new questions:
1) Are there any newer drivers available that ship with updated (non-vulnerable) libwebp_*.dlls? and if so where can I get hold of these? (I can see that you have a Drivers & Firmware page: https://mysupport.razer.com/app/answers/detail/a_id/4166?_gl - but without knowing what device(s) our users have, it is difficult to know exactly the correct installer)
2) For users that no longer have Razer devices in use, can you detail the process to properly and entirely remove all traces of the software / drivers from a users device (Similar to https://mysupport.razer.com/app/answers/detail/a_id/1708) ?

Thanks in advance,
Adrian Scott

leetbusVividCerise468
Userlevel 2

Can anyone at Razer Support provide an answer please?

FiszPL
Rank
Userlevel 7
Badge +1

@Razer.Speedcr0ss @Razer.Aero @Razer.Zionzedd ?

leetbusVividCerise468
Userlevel 2

Am I talking into a black hole with this Security Vulnerability?
@Razer.Speedcr0ss @Razer.Aero @Razer.Zionzedd ?

dr_Optimizator

Hello, leetbusVividCerise468,

 
Thank You very much for rising this question. For that Razer Synapse 3 LibWebP vulnerabilities, I should to uninstall Razer Synapse 3 and now cannot use my Razer Naga V2 HyperSpeed mouse. It was very useful in my work, but for now it only gathering dust..

 

I hope technical will pay attention to this issue.

leetbusVividCerise468
Userlevel 2

Sadly after 2.5 weeks I have still had absolutely no response from Razer’s support team.
Their response to my question just goes to show how good their support actually is 😜

For users devices that no longer use Razer hardware, I have so far:

  • Checked that Razer Synapse 3 is uninstalled - it was and the C:\Windows\Installer\Razer folder still existed
  • Uninstalled (and deleted) all ‘ghost’ device drivers for Razer devices (Open Device Manager and choose: View > Show Hidden Devices, you will see them as "greyed out" devices. Right click and select uninstall)
  • Deleted the C:\Windows\Installer\Razer folder

I am not sure if this would have any long term consequences or if this would be a ‘supported’ solution, but I needed to make progress on removing these high severity CVEs

If any of our users still use Razer hardware, No fix has been suggested.
 

Come on Razer (@Razer.Speedcr0ss @Razer.Aero @Razer.Zionzedd ? ) help us out here 🤷

FiszPL
Rank
Userlevel 7
Badge +1

For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.

A

Hi guys, 

Probably some good news for you: There is a NEW Synapse Software available (BETA).

You can check it out here: https://www.razer.com/de-de/synapse-new (german setting)

The new software come with a new UI and has this issue resolved as the vulnerable .dll files are not installed anymore:

 

Hope this helps!

Cheers,

CS

leetbusVividCerise468
Userlevel 2

For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.

FYI: This app does not appear to work on a fully upto date patched Windows 10 22H2 (10.0.19045.4170), launching the application from an Administrative prompt (Powershell or Command prompt) doesn’t appear to do anything I’ve watched the CPU activity for the App and within a couple of seconds it stops at 0% and never increases, so I can only conclude it has failed - I suspect due to the age of this command line app it may require a specific .NET Framework that has now been superceded.

I have had to resort to using my method above to remove ‘Ghost devices’

FiszPL
Rank
Userlevel 7
Badge +1

For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.

FYI: This app does not appear to work on a fully upto date patched Windows 10 22H2 (10.0.19045.4170), launching the application from an Administrative prompt (Powershell or Command prompt) doesn’t appear to do anything I’ve watched the CPU activity for the App and within a couple of seconds it stops at 0% and never increases, so I can only conclude it has failed - I suspect due to the age of this command line app it may require a specific .NET Framework that has now been superceded.

I have had to resort to using my method above to remove ‘Ghost devices’

You may be right, but tested it personally on bunch PCs including old/new Win 10 and 11, always worked correctly for me. But every environment is different, so it can be a bug in app or some framework missing in OS as you’ve mentioned.

leetbusVividCerise468
Userlevel 2

Hi guys, 

Probably some good news for you: There is a NEW Synapse Software available (BETA).

You can check it out here: https://www.razer.com/de-de/synapse-new (german setting)

The new software come with a new UI and has this issue resolved as the vulnerable .dll files are not installed anymore:

 

Hope this helps!

Cheers,

CS

Good to know that a later version should fix this, but security policy prevents me from using ‘Beta’ software on our production devices.
Making customers wait for the later Synapse to be released is not the fix for this, Razer needs to provide a patched version of the existing Razer software versions - Like any good software vendor. 🤷🏻

bitBottleGreenworld782

Does exist any silent parameter which can be used to mitigate \ update synapse without requiring User Interaction ?!?!!?!??!?  🙄

Reply


CookiesCookie settings