Razer Synapse 3 LibWebP vulnerabilities (CVE-2023-1999 & CVE-2023-4863) | Razer Insider
Question

Razer Synapse 3 LibWebP vulnerabilities (CVE-2023-1999 & CVE-2023-4863)

  • 25 February 2024
  • 17 replies
  • 2306 views

Userlevel 3

Hello,
 

In September 2023, Google published CVE-2023-4863 and CVE-2023-5217 to address vulnerabilities in WebP (a compression format for images on the web) and libvpx (a software video codec library) that may result in remote code execution. The subsequent impact to Microsoft products has been documented in the Security Update Guide and the MSRC blog. Google is aware that exploits exist for both vulnerabilities.


These CVEs are both categorised as High Severity and we are notified that “A verified remote code execution exploit is publicly available for one or more weaknesses related to this recommendation.”

Currently we have 4 machines that appear to have Razer Software installations that have this 3rd party component included and are therefore being flagged as affected by both CVE-2023-4863 and a separate (earlier) WebP vulnerability CVE-2023-1999 (I believe the existence of these 2 vulnerabilities are why all 4 of our affected devices are being flagged as High Risk in our vulnerability monitoring system)

N.B. Our vulnerability monitoring system flags the following 2 files as vulnerable on all 4 devices:

File File Version Affected by CVEs
C:\Windows\Installer\Razer\installer\app\libwebp_x64.dll 1.1.0.0 CVE-2023-1999 & CVE-2023-4863
C:\Windows\Installer\Razer\installer\app\libwebp_x86.dll 1.1.0.0 CVE-2023-1999 & CVE-2023-4863


I believe the existence of these 2 files is caused by the installation of Razer Synapse on these devices, At this stage it is unclear exactly which version(s) are installed on each device – So I will need to check via our software discovery to get a better idea of what app (and version) are installed on each device, failing that I will need to check locally on at least one of our machines to carry out an investigation.

The only reference I can find on the Razer site(s) to the C:\Windows\Installer\Razer\* path is this forum article: https://insider.razer.com/razer-synapse-29/delete-c-windows-installer-razer-over-13gb-45177, however as both the affected LibWebP DLL’s exist below the “C:\Windows\Installer\Razer\installer\app” folder; deleting the affected files does not appear to be an option.

The latest Razer downloads can be found via: https://www.razer.com/gb-en/pc/software, specifically for the Current release of Synapse 3: https://www.razer.com/gb-en/synapse-3
Direct download: https://rzr.to/synapse-3-pc-download for “RazerSynapseInstaller_V1.16.0.543.exe”

Another observation: The installer version numbering has no obvious relationship to the actual product version installed (Installer v1.x.x / Product v3.x.x), so it is unclear if this is a newer version than what the user(s) already have installed.

From my searching I can find no Release Notes of any substance anywhere on the Razer sites (Main site (razer.com) or forum (insider.razer.com), so it is anyone’s guess if updates to this product have had the fixes included by now?
Searching (without quotes) on Google for: “CVE-2023-1999 site:razer.com” returns zero results – Indicating there is no mention of this CVE anywhere on the indexed pages of the Razer site(s).
Searching (without quotes) on Google for: “CVE-2023-4863 site:razer.com” returns zero results – Indicating there is no mention of this CVE anywhere on the indexed pages of the Razer site(s).

 

If it comes to it, a clean re-installation of Razer Synapse could potentially be performed on each device following these instructions: https://mysupport.razer.com/app/answers/detail/a_id/1708
However, Step 8 makes absolutely no mention of the C:\Windows\Installer\Razer\* path, so I’d suspect this would still not resolve the issue.

Can you:

  1. Confirm if these CVEs have already been fixed in a later version of the Razer software (I assume Synapse 3)?
  2. Confirm which version of Synapse 3 we need to have installed to remove thse CVEs?
  3. Confirm which version of the Installer I should use to install the fixed version of Synapse 3?
  4. Confirm where your product Release Notes are published that state where and when this CVE was resolved in your software?
  5. Update your Clean re-installation instructions to detail any other the Razer folders that may need to be removed (e.g. below C:\Windows\Installer\Razer)?
  6. Can you make some major improvements to the manner in which you publish your release notes?so we, as customers of your products(s) know exactly what has been fixed, for what reason and when?
    N.B. This is worth a read: https://www.productplan.com/learn/release-notes-best-practices/

I look forward to your answers as soon as you possibly can, so I can resolve these high severity CVEs from my estate.

 

Thanks in Advance,

Adrian Scott

EUC engineer


17 Replies

Userlevel 3

Update:

I have checked via our software discovery to get a better idea of what app (and version) are installed on each device - sadly none of them show any Razer software installed.
So, I have just performed a local investigation on one of our affected devices and there is no evidence of any Razer software installed in Add or Remove programs.
The users device I have checked this morning no-longer uses their Razer device, and it would appear that this software folder is created during a plug and play driver installation.
I have run the following PowerShell command on the users device (in the “C:\Windows\Installer\Razer\” folder):

Get-ChildItem libwebp*.dll,Razer*.dll,RazerInstaller.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename | Format-Table -AutoSize

and these are the results:

ProductVersion FileVersionRaw FileName
-------------- -------------- --------
1.1.0 1.0.1.0 C:\Windows\Installer\Razer\Installer\App\libwebp_x64.dll
1.1.0 1.0.1.0 C:\Windows\Installer\Razer\Installer\App\libwebp_x86.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\de-DE\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\es-ES\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\fr-FR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\ja-JP\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\ko-KR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\pt-BR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\Razer.DetectManagerWrapper.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\Razer.RazerInstallerCommon.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\RazerInstaller.exe
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\ru-RU\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\zh-CHS\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\zh-CHT\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\RazerInstaller.exe

So it would appear (in this case) the vulnerable files are placed here as part of the Razer device drivers shipped with v1.7.0.311.

So, new questions:
1) Are there any newer drivers available that ship with updated (non-vulnerable) libwebp_*.dlls? and if so where can I get hold of these? (I can see that you have a Drivers & Firmware page: https://mysupport.razer.com/app/answers/detail/a_id/4166?_gl - but without knowing what device(s) our users have, it is difficult to know exactly the correct installer)
2) For users that no longer have Razer devices in use, can you detail the process to properly and entirely remove all traces of the software / drivers from a users device (Similar to https://mysupport.razer.com/app/answers/detail/a_id/1708) ?

Thanks in advance,
Adrian Scott

Userlevel 3

Can anyone at Razer Support provide an answer please?

Userlevel 7
Badge +1

@Razer.Speedcr0ss @Razer.Aero @Razer.Zionzedd ?

Userlevel 3

Am I talking into a black hole with this Security Vulnerability?
@Razer.Speedcr0ss @Razer.Aero @Razer.Zionzedd ?

Hello, leetbusVividCerise468,

 
Thank You very much for rising this question. For that Razer Synapse 3 LibWebP vulnerabilities, I should to uninstall Razer Synapse 3 and now cannot use my Razer Naga V2 HyperSpeed mouse. It was very useful in my work, but for now it only gathering dust..

 

I hope technical will pay attention to this issue.

Userlevel 3

Sadly after 2.5 weeks I have still had absolutely no response from Razer’s support team.
Their response to my question just goes to show how good their support actually is 😜

For users devices that no longer use Razer hardware, I have so far:

  • Checked that Razer Synapse 3 is uninstalled - it was and the C:\Windows\Installer\Razer folder still existed
  • Uninstalled (and deleted) all ‘ghost’ device drivers for Razer devices (Open Device Manager and choose: View > Show Hidden Devices, you will see them as "greyed out" devices. Right click and select uninstall)
  • Deleted the C:\Windows\Installer\Razer folder

I am not sure if this would have any long term consequences or if this would be a ‘supported’ solution, but I needed to make progress on removing these high severity CVEs

If any of our users still use Razer hardware, No fix has been suggested.
 

Come on Razer (@Razer.Speedcr0ss @Razer.Aero @Razer.Zionzedd ? ) help us out here 🤷

Userlevel 7
Badge +1

For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.

Hi guys, 

Probably some good news for you: There is a NEW Synapse Software available (BETA).

You can check it out here: https://www.razer.com/de-de/synapse-new (german setting)

The new software come with a new UI and has this issue resolved as the vulnerable .dll files are not installed anymore:

 

Hope this helps!

Cheers,

CS

Userlevel 3

For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.

FYI: This app does not appear to work on a fully upto date patched Windows 10 22H2 (10.0.19045.4170), launching the application from an Administrative prompt (Powershell or Command prompt) doesn’t appear to do anything I’ve watched the CPU activity for the App and within a couple of seconds it stops at 0% and never increases, so I can only conclude it has failed - I suspect due to the age of this command line app it may require a specific .NET Framework that has now been superceded.

I have had to resort to using my method above to remove ‘Ghost devices’

Userlevel 7
Badge +1

For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.

FYI: This app does not appear to work on a fully upto date patched Windows 10 22H2 (10.0.19045.4170), launching the application from an Administrative prompt (Powershell or Command prompt) doesn’t appear to do anything I’ve watched the CPU activity for the App and within a couple of seconds it stops at 0% and never increases, so I can only conclude it has failed - I suspect due to the age of this command line app it may require a specific .NET Framework that has now been superceded.

I have had to resort to using my method above to remove ‘Ghost devices’

You may be right, but tested it personally on bunch PCs including old/new Win 10 and 11, always worked correctly for me. But every environment is different, so it can be a bug in app or some framework missing in OS as you’ve mentioned.

Userlevel 3

Hi guys, 

Probably some good news for you: There is a NEW Synapse Software available (BETA).

You can check it out here: https://www.razer.com/de-de/synapse-new (german setting)

The new software come with a new UI and has this issue resolved as the vulnerable .dll files are not installed anymore:

 

Hope this helps!

Cheers,

CS

Good to know that a later version should fix this, but security policy prevents me from using ‘Beta’ software on our production devices.
Making customers wait for the later Synapse to be released is not the fix for this, Razer needs to provide a patched version of the existing Razer software versions - Like any good software vendor. 🤷🏻

Does exist any silent parameter which can be used to mitigate \ update synapse without requiring User Interaction ?!?!!?!??!?  🙄

FYI - Razer Synapse official 20240429 is available for update. I don’t know if this fixes anything. I just started following this issue a few minutes ago.

Hey @leetbusVividCerise468 , general question because I'm genuinely worried about this and then considered it for a while and I am curious of your opinion.   

 

What would the attack chain for this be?

 

  I suspect Razer is only using this for loading their own images. 

Outside of some compromised advanced MITM attack or assuming there were no safeguards in place for unauthorized images and urls for image fetching or a server breach. 

Wouldn't this just be an (I already have acces kind of thing) or perhaps a pivot from one already infected device? 

I have not tested any of this but perhaps a bugcrowd report could get things started IF THEY WANT to ignore it and I'd be happy to further the security research effort on my end towards a (means to and end and solution/ responsible disclosure that helps us all know what is going on.) 

Considering where the installer runs from....outside of secure boot this could become a much bigger problem for the end user and I'd like to think reprogramming a few changed library references in their source would take this long.  My experience is developers are never wrong publicly until they have no choice to be lol.

 

I already have a fairly straight forward poc in mind...."string search" the fetching urls and dns spoof to a fake server from the same lan. 

RAZER CDN compromise is obviously off limits for research for us good folks but not out of scope for the bad guys.

However I only see a few attack vectors and if I am wrong help a brother out.  My experience with synapse is limited. Are there messaging features and etc that display in a vulnerably version of chromium?.  I'll throw up a vm today and play.  Try to pop some calculators lol.

Afterall installing core functionality drivers is one thing.  Harassing people who paid hard earned money by using nt/authority and windows update to hard install drivers and soft install software 'pending user agreement' and not only that but when skipped leaving potential remnants all over the place rubs, just me the wrong way.  I have much more expensive peripherals that wouldn't dare.  The question is why? Just put product card and a link in the box for people who want the software, then install a bare bones low attack surface generic pnp driver or use an existing one the same one that navigates my uefi before any os install lol....

 

Hopefully we will hear from Razer officially soon.  Sad when the public needs to do a job they themselves should do.  These forums should be so closely watched a needle can't drop outside of an escalation chain.

I don't meann to dog on them but there is no reason this post should have been ignored this long.

My typical customer support with them has been amazing and I'd expect that to extend to here as well.  We shall see.

Well despite having big goals today all I managed was to install razer synapse from the official download link while using a different keyboard on a new install of windows and was able to install from that installer before the trusted installer ran the synapse download that my board prompts…..I can find neither file after doing it this way but that does not mean it is not baked into a binary somewhere.

Need more time and effort lol.

Userlevel 3

I am unsure if your machine has installed the original version or the new (beta) version available via https://www.razer.com/gb-en/synapse-new - but interestingly, that page also has not been updated in a while:

Coming in February: Select headsets, Kraken Kitty, Nari Ultimate, Nari Essential.
Coming in March: Additional new and previously released devices.

As it’s now May 2024, do I assume they are referring to February / March 2025? 🤣

My removal process (linked above) has appeared to work with no i’ll effect (AFAIK), but I’ve noticed only this week another new member of staff has plugged in another Razer Device and this vulnerability has re-appeared 🤦. I suspect (depending on the device) the driver install downloads and installs the current (v1.x?) release Synapse software which contains these vulnerable files, maybe newer devices use a different / newer version - hence why you have not seen these vulnerable files? 🤷

I am unsure if your machine has installed the original version or the new (beta) version available via https://www.razer.com/gb-en/synapse-new - but interestingly, that page also has not been updated in a while:

Coming in February: Select headsets, Kraken Kitty, Nari Ultimate, Nari Essential.
Coming in March: Additional new and previously released devices.

As it’s now May 2024, do I assume they are referring to February / March 2025? 🤣

My removal process (linked above) has appeared to work with no i’ll effect (AFAIK), but I’ve noticed only this week another new member of staff has plugged in another Razer Device and this vulnerability has re-appeared 🤦. I suspect (depending on the device) the driver install downloads and installs the current (v1.x?) release Synapse software which contains these vulnerable files, maybe newer devices use a different / newer version - hence why you have not seen these vulnerable files? 🤷

 

 

 

Yeah Hard to tell without getting super involved.

RazerSynapseInstaller_V1.17.0.600  is the one I downloads and installed to test.

Same Hash as this.
https://www.virustotal.com/gui/file/f051896ab2043d06236e047efd6a2a719a399bb99fc810e5a671412f0ec35dea

 

Sorry I don’t remember the exact URL I downloaded it from on the Razer site but I am sure I just followed the normal Google → Razer → etc..

Strange of Razer to pull the affected libraries out of the installer location and not note it in a change log.

Also strange that windows is still pushing the old update… I am guessing the keyboard doesn't have onboard writable memory for driver requisition, at least I hope it doesn't lol and windows update just installed whatever is the closest match to the device ID provided.

Maybe they used the same Identifier across a ton of  boards an need an older more generic driver to support them all Out of The Box?  This is really bad if so.

IDK, none of it really makes much sense.

Reply