Windows 10 Admin Rights Impacted by Razer Devices
I. Targeted Entities
- Windows 10 Machines Using Razer Products
II. Introduction
In recent news, a zero-day bug has been observed providing extended admin rights to users by simply plugging in any device that contains Razer’s unified configuration software known as Synapse. The bug seems to be affecting the device installer software of Razer’s equipment. For now, it seems only Windows 10 machines are being affected.
III. Background Information
Razer, a company that manufactures popular gaming devices such as mice, keyboards, and headsets, has found itself at the center of a vulnerability exploit where anyone with a Razer device, Synapse (Razer’s software for configuring the device), and a machine running Windows 10 can theoretically become an admin on that machine. [2] There is, apparently, nothing keeping the vulnerability from affecting Windows 11 machines, but nothing has been reported regarding Windows 11 and the exploit.
Security researcher Jon Hat (@j0nh4t on Twitter) first reported the exploit to Razer. After receiving no response from Razer, he tweeted a video of the exploit in action. The tweet caught the attention of Razer, who told Hat that their security team was working on a fix to be deployed ASAP.[2] Hat also received a bug bounty from Razer, even though the bug was disclosed by Jon Hat to Razer.
Hat says (and BleepingComputer confirmed with their own tests) that when a user plugs in a Razer device (or dongle, if the device is wireless), Windows will automatically fetch an installer that contains driver software and the Razer Synapse utility. The utility installation then allows users to gain SYSTEM privileges on the machine. SYSTEM privileges are the highest user privileges in Windows. With these privileges, someone can get full control over the system, which will allow them to view, change, and delete data, create new accounts with full user rights, and the ability to install anything they want, including malicious files.[2] It is even possible for a PowerShell terminal, with those same elevated privileges, to be opened during the Synapse installation.
Because of the simple nature of this exploit (a user plugs in a USB device, software is installed with privileges), there is the potential for more exploits that are currently unknown. As of August 23, Microsoft said that they are aware of the reports and are investigating the issue. Razer has also said that a fix should be out soon for this specific attack vector.
IV. MITRE ATT&CK
- T1068 – Exploitation for Privilege Escalation
Threat actors can utilize Razer’s Synapse program to gain SYSTEM level privileges effectively allow them to take control of the target machine. - T1200 – Hardware Additions
Introducing a Razer peripheral into a target system environment can allow for privilege abuse. - T1078 – Valid Accounts
Valid installed accounts are utilized in this attack vector. - T1036 – Masquerading
Razer’s Synapse software is a typical software found on machines with any Razer peripherals, and as such, can be hidden in plain view.
V. Recommendations
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014 - Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures - Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats. - Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a - Turn on Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
VI. Common Vulnerabilities and Exposures (CVEs)
These are the current CVEs that affect Razer Synapse:
- CVE-2021-30493: Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. This allows an attacker to create a file in an unintended directory (with some limitations).
CVE-2021-30494: Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. This allows an attacker to create a file in an unintended directory (with some limitations).
Source: https://us-cert.cisa.gov/ncas/bulletins/sb21-109
VII. References
(1) Abrams, Lawrence. “Razer Bug Lets You Become a Windows 10 Admin by Plugging in a Mouse.” BleepingComputer. BleepingComputer, August 22, 2021. https://www.bleepingcomputer.com/news/security/razer-bug-lets-you-become-a-windows-10-admin-by-plugging-in-a-mouse/.
(2) Vaas, Lisa. “Windows 10 Admin Rights Gobbled by Razer Mouse.” Threatpost English Global threatpostcom, August 23, 2021. https://threatpost.com/windows-10-admin-rights-razer-devices-mouse-peripherals/168855/.
Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural, Hagverdiyev.