Razer Synapse 3 Permissions Vulnerability
Incorrect Permissions Assignment for Critical Resource
CVE ID
Vendor
Razer
Product
Razer Synapase 3
Product Version
3.5.1030.101917
Vulnerability Details
Multiple System level Services deployed alongside the Razer Synapse 3 software suite, interact with a critical resource that has improper permissions associated. These allow for runtime abuse that can lead to system instability and even system denial of service (DoS) attacks.
Vendor Response
Vendor was proactive in their remediation and acknowledgement of the security issue and impact.
Disclosure Timeline
-
Contacted Razer and asked to be put in touch with a security resource for the disclosure process.
-
Initial Response from Razer was received.
-
VerSprite provided report and vulnerability details via a report to Razer support.
-
Razer & VerSprite had a disclosure meeting going over remediation steps.
-
Razer released update to Synapse and remediated the issue.
-
VerSprite performed Patch Verification and determined that a component was still vulnerable.
-
VerSprite reached out to Razer to alert them that some components were still vulnerable.
-
Razer responded acknowledging that their patch was incomplete and requested delay in notification to MITRE for CVE ID, until they released the patch publicly at the end of April 2021.
-
VerSprite responded with commitment to release schedule already presented and explained they will not delay public disclosure due to failed patch.
-
VerSprite submitted initial vulnerability details to MITRE to acquire CVE-ID.
-
MITRE responded with two CVE ID’s (CVE-2021-30494 & CVE-2021-30493) for each vulnerability.
-
VerSprite sent Razer link to publication of vulnerabilities.