Razer Synapse 3

Incorrect Permissions Assignment for Critical Resource

Vendor

Razer

Product

Razer Synapase 3

Product Version

3.5.1030.101917

Vulnerability Details

Multiple System level Services deployed alongside the Razer Synapse 3 software suite, interact with a critical resource that has improper permissions associated, allowing for runtime abuse that can lead to system instability and even system denial of service (DoS) attacks.

Vendor Response

Vendor was proactive in their remediation and acknowledgement of the security issue and impact.

Disclosure Timeline

  • Contacted Razer and asked to be put in touch with a security resource for the disclosure process.

  • Initial Response from Razer was received.

  • VerSprite provided report and vulnerability details via a report to Razer support.

  • Razer & VerSprite had a disclosure meeting going over remediation steps.

  • Razer released update to Synapse and remediated the issue.

  • VerSprite performed Patch Verification and determined that a component was still vulnerable.

  • VerSprite reached out to Razer to alert them that some components were still vulnerable.

  • Razer responded acknowledging that their patch was incomplete and requested delay in notification to MITRE for CVE ID, until they released the patch publicly at the end of April 2021.

  • VerSprite responded with commitment to release schedule already presented and explained they will not delay public disclosure due to failed patch.

  • VerSprite submitted initial vulnerability details to MITRE to acquire CVE-ID.

  • MITRE responded with two CVE ID’s (CVE-2021-30494 & CVE-2021-30493) for each vulnerability.

  • VerSprite sent Razer link to publication of vulnerabilities.