Page 1/1
Update:
I have checked via our software discovery to get a betteridea of what app (and version) are installed on each device - sadly none of them show any Razer software installed.
So, I have just performed a local investigation on one of our affected devices and there is no evidence of any Razer software installed in Add or Remove programs.
The users device I have checked this morning no-longer uses their Razer device, and it would appear that this software folder is created during a plug and play driver installation.
I have run the following PowerShell command on the users device (in the “C:\Windows\Installer\Razer\” folder):
Get-ChildItem libwebp*.dll,Razer*.dll,RazerInstaller.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename | Format-Table -AutoSize
and these are the results:
ProductVersion FileVersionRaw FileName
-------------- -------------- --------
1.1.0 1.0.1.0 C:\Windows\Installer\Razer\Installer\App\libwebp_x64.dll
1.1.0 1.0.1.0 C:\Windows\Installer\Razer\Installer\App\libwebp_x86.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\de-DE\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\es-ES\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\fr-FR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\ja-JP\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\ko-KR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\pt-BR\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\Razer.DetectManagerWrapper.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\Razer.RazerInstallerCommon.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\RazerInstaller.exe
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\ru-RU\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\zh-CHS\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\App\zh-CHT\Razer.RazerInstallerCommon.resources.dll
1.7.0.311 1.7.0.311 C:\Windows\Installer\Razer\Installer\RazerInstaller.exe
So it would appear (in this case) the vulnerable files are placed here as part of the Razer device drivers shipped with v1.7.0.311.
So, new questions:
1) Are there any newer drivers available that ship with updated (non-vulnerable) libwebp_*.dlls? and if so where can I get hold of these? (I can see that you have a Drivers & Firmware page: https://mysupport.razer.com/app/answers/detail/a_id/4166?_gl - but without knowing what device(s) our users have, it is difficult to know exactly the correct installer)
2) For users that no longer have Razer devices in use, can you detail the process to properly and entirely remove all traces of the software / drivers from a users device (Similar to https://mysupport.razer.com/app/answers/detail/a_id/1708) ?
Thanks in advance,
Adrian Scott
Can anyone at Razer Support provide an answer please?
Am I talking into a black hole with this Security Vulnerability?
Hello,leetbusVividCerise468,
Thank You very much for rising this question. For that Razer Synapse 3 LibWebP vulnerabilities, I should to uninstall Razer Synapse 3 and now cannot use my Razer Naga V2 HyperSpeed mouse. It was very useful in my work, but for now it only gathering dust..
I hope technical will pay attention to this issue.
Sadly after 2.5 weeks I have still had absolutely no response from Razer’s support team.
Their response to my question just goes to show how good their support actually is
For users devices that no longer use Razer hardware, I have so far:
- Checked that Razer Synapse 3 is uninstalled - it was and the C:\Windows\Installer\Razer folder still existed
- Uninstalled (and deleted) all ‘ghost’ device drivers for Razer devices (Open Device Manager and choose: View > Show Hidden Devices, you will see them as "greyed out" devices. Right click and select uninstall)
- Deleted the C:\Windows\Installer\Razer folder
I am not sure if this would have any long term consequences or if this would be a ‘supported’ solution, but I needed to make progress on removing these high severity CVEs
If any of our users still use Razer hardware, No fix has been suggested.
Come on Razer (
For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.
Hi guys,
Probably some good news for you: There is a NEW Synapse Software available (BETA).
You can check it out here:https://www.razer.com/de-de/synapse-new(german setting)
The new software come with a new UI andhas this issue resolved as the vulnerable .dll files are not installed anymore:
Hope this helps!
Cheers,
CS
For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.
FYI: This app does not appear to work on a fully upto date patched Windows 10 22H2 (10.0.19045.4170), launching the application from an Administrative prompt (Powershell or Command prompt) doesn’t appear to do anything I’ve watched the CPU activity for the App and within a couple of seconds it stops at 0% and never increases, so I can only conclude it has failed - I suspect due to the age of this command line app it may require a specific .NET Framework that has now been superceded.
I have had to resort to using my method above to remove ‘Ghost devices’
For removing Razer drivers you can use this app: https://rzr.to/Tf53xj really helpful tool.
FYI: This app does not appear to work on a fully upto date patched Windows 10 22H2 (10.0.19045.4170), launching the application from an Administrative prompt (Powershell or Command prompt) doesn’t appear to do anything I’ve watched the CPU activity for the App and within a couple of seconds it stops at 0% and never increases, so I can only conclude it has failed - I suspect due to the age of this command line app it may require a specific .NET Framework that has now been superceded.
I have had to resort to using my method above to remove ‘Ghost devices’
You may be right, but tested it personally on bunch PCs including old/new Win 10 and 11, always worked correctly for me. But every environment is different, so it can be a bug in app or some framework missing in OS as you’ve mentioned.
Hi guys,
Probably some good news for you: There is a NEW Synapse Software available (BETA).
You can check it out here:https://www.razer.com/de-de/synapse-new(german setting)
The new software come with a new UI andhas this issue resolved as the vulnerable .dll files are not installed anymore:
Hope this helps!
Cheers,
CS
Good to know that a later version should fix this, but security policy prevents me from using ‘Beta’ software on our production devices.
Making customers wait for the later Synapse to be released is not the fix for this, Razer needs to provide a patched version of the existing Razer software versions - Like any good software vendor.
Does exist any silent parameter which can be used to mitigate \ update synapse without requiring User Interaction ?!?!!?!??!?
FYI - Razer Synapse official 20240429 is available for update. I don’t know if this fixes anything. I just started following this issue a few minutes ago.
Hey
What would the attack chain for this be?
I suspect Razer is only using this for loading their own images.
Outside of some compromised advanced MITM attack orassuming there were no safeguards in place for unauthorized images and urls for image fetching or a server breach.
Wouldn't this just be an (I already have acces kind of thing) or perhaps a pivot from one already infected device?
I have not tested any of this but perhaps a bugcrowd report could get things started IF THEY WANT to ignore it and I'd be happy to furtherthe security research effort on my end towards a (means to and end and solution/ responsible disclosure that helps us all know what is going on.)
Considering where the installer runs from....outside of secure boot this could become a much bigger problem for the end user and I'd like to think reprogramming a few changed library references in their source would take this long. My experience is developers are never wrong publicly until they have no choice to be lol.
I already have a fairly straight forward poc in mind...."string search" the fetching urls and dns spoof to a fake server fromthe same lan.
RAZER CDN compromise is obviously off limits for research for us good folks but not out of scope for the bad guys.
However I only see a few attack vectors and if I am wrong help a brother out. My experience with synapse is limited.Are there messaging features and etc that display in a vulnerably version of chromium?. I'll throw upa vm today and play. Try to pop some calculators lol.
Afterall installing core functionality drivers is one thing. Harassing people who paid hard earned money by using nt/authority and windows update to hard install drivers and soft install software 'pending user agreement' and not only that but when skippedleaving potential remnants all over the place rubs, just me the wrong way. I have much more expensive peripherals that wouldn't dare. The question is why? Just put product cardand a link in the box for people who want the software, then install a bare bones low attack surface generic pnp driver or use an existing one the same one that navigates my uefi before any os install lol....
Hopefully we will hear from Razer officially soon. Sad when the public needs to do a job they themselves should do. These forums should be so closely watched a needle can't drop outside of an escalation chain.
I don't meann to dog on them but there is no reason this post should have been ignored this long.
My typical customer support with them has been amazing and I'd expect that to extend to here as well. We shall see.
Well despite having big goals today all I managed was to install razer synapse from the official download link while using a different keyboard on a new install of windows and was able to install from that installer before the trusted installer ran the synapse download that my board prompts…..I can find neither file after doing it this way but that does not mean it is not baked into a binary somewhere.
Need more time and effort lol.
I am unsure if your machine has installed the original version or the new (beta) version available via https://www.razer.com/gb-en/synapse-new - but interestingly, that page also has not been updated in a while:
Coming in February: Select headsets, Kraken Kitty, Nari Ultimate, NariEssential.
Coming in March: Additional new and previously releaseddevices.
As it’s now May 2024, do I assume they are referring to February / March 2025?
My removal process (linked above) has appeared to work with no i’ll effect (AFAIK), but I’ve noticed only this week another new member of staff has plugged in another Razer Device and this vulnerability has re-appeared . I suspect (depending on the device) the driver install downloads and installs the current (v1.x?) release Synapse software which contains these vulnerable files, maybe newer devices use a different / newer version - hence why you have not seen these vulnerable files?
I am unsure if your machine has installed the original version or the new (beta) version available via https://www.razer.com/gb-en/synapse-new - but interestingly, that page also has not been updated in a while:
Coming in February: Select headsets, Kraken Kitty, Nari Ultimate, NariEssential.
Coming in March: Additional new and previously releaseddevices.
As it’s now May 2024, do I assume they are referring to February / March 2025?
My removal process (linked above) has appeared to work with no i’ll effect (AFAIK), but I’ve noticed only this week another new member of staff has plugged in another Razer Device and this vulnerability has re-appeared . I suspect (depending on the device) the driver install downloads and installs the current (v1.x?) release Synapse software which contains these vulnerable files, maybe newer devices use a different / newer version - hence why you have not seen these vulnerable files?
Yeah Hard to tell without getting super involved.
RazerSynapseInstaller_V1.17.0.600 is the one I downloads and installed to test.
Same Hash as this.
https://www.virustotal.com/gui/file/f051896ab2043d06236e047efd6a2a719a399bb99fc810e5a671412f0ec35dea
Sorry I don’t remember the exact URL I downloaded it from on the Razer site but I am sure I just followed the normal Google → Razer → etc..
Strange of Razer to pull the affected libraries out of the installer location and not note it in a change log.
Also strange that windows is still pushing the old update… I am guessing the keyboard doesn't have onboard writable memory for driver requisition, at least I hope it doesn't lol and windows update just installed whatever is the closest match to the device ID provided.
Maybe they used the same Identifier across a ton of boards an need an older more generic driver to support them all Out of The Box? This is really bad if so.
IDK, none of it really makes much sense.
I’m just a guy trying to get Windows Defender for Business tobe quiet about this issue. I uninstalled Razer Synapse last night and installed RazerSynapseInstaller_V1.17.0.600.exe a.k.a Synapse Version 3.9.516.51517. It seems the file that Defender was complaining about is no longer there and it has been removed from the list of problems in the Defender console.