Razer’s Synapse 3 product contains security-related vulnerabilities that provided less privileged users the ability to write a file to any folder on disk. The vulnerability is within the improper usage of the Windows Registry, where improper permission assignment leads to local users having full control over multiple important Registry keys relating to the Synapse 3 software suite. Local system services deployed via the Synapse 3 software suite, utilize the Registry Keys to build file name paths to store runtime logging information. The initial impact of these vulnerabilities is a denial of service via system instability; however, full exploitation is not out of the realm of possibilities.
Remediation for these vulnerabilities was performed on February 25th, 2021, when Razer released updates to the Synapse 3 Software suite where the vulnerabilities were mitigated. However, after VerSprite security researchers performed an internal verification of the patch provided by Razer, we concluded that the patch was only a partial solution. The
RzSDKService.exe service binary still interacted with a critical resource that had improper permissions assigned. Razer has acknowledged the failed patch and stated that they will work on a patch before the end of April 2021. For more information on the entire timeline, please refer to the Vendor Disclosure Timeline section, within the full report.
Maintain awareness regarding unknown threats to your products, technologies, and enterprise networks. Organizations that are willing to take the next step in proactively securing their flagship product or environment can leverage our zero-day vulnerability research offering. Our subscription-based capability provides your organization with immediate access to zero-day vulnerabilities affecting products and software. Learn More →
View our security advisories detailing vulnerabilities found in major products for MacOs, Windows, Android, and iOS.