Update, 4/8/19, 12:45 p.m. PT: Razer sent us a statement today about the vulnerability to confirm that it's aware of the issue. The company said it's released an update for laptops released in 2016 or later that can resolve the issue. For devices released before 2016, however, Razer said that "a software tool is being developed and will be available within a few weeks." It also asked concerned customers to reach out to Razer support via its website (opens in new tab).
The following devices are confirmed to be affected by this vulnerability.
|Razer Blade||RZ09-01021, RZ09-01161, RZ09-01301, RZ09-01652, RZ09-01952, RZ09-01953, RZ09-02385, RZ09-02386, RZ09-02886, RZ09-02705|
|Razer Blade Stealth||RZ09-01682, RZ09-01962, RZ09-01963, RZ09-01964, RZ09-02393, RZ09-02394, RZ09-02810, RZ09-02812|
|Razer Blade Pro||RZ09-0071, RZ09-0083, RZ09-0099, RZ09-01171, RZ09-01662, RZ09-01663, RZ09-02202|
Original article, 4/7/19, 7:20 a.m. PT:
Bad news for Razer laptop owners: several of the company's latest releases are still vulnerable to a flaw that could let malware withstand reboots, hard drive wipes, and other attempts to remove it from a device.
The vulnerability is said to be identical to CVE-2018-4251, which let attackers modify the firmware of Macs on which Manufacturing Mode was enabled. As its name suggests, Manufacturing Mode is part of the oft-criticized Intel Management Engine that's supposed to be disabled before a device ever reaches consumers.
Apple released a fix (opens in new tab) to CVE-2018-4251 with macOS High Sierra 10.13.4, which debuted in March 2018. The vulnerability wasn't publicly disclosed until June 2018, which means the company addressed the problem before most hackers would have known about it. (Hopefully.) It seemed like the issue was fixed before it even started.
Then in March security researcher Bailey Fox said that "Razer has a vulnerability affecting all current laptops where the SPI Flash is set to full read/write and the Intel CPU is left in ME Manufacturing Mode." Fox disclosed the issue on Twitter on March 21; The Register spotted the tweet just last week.
In his advisory on Full Disclosure, Fox said this vulnerability "allows for attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things." Those are the kinds of problems that make people take screwdrivers to their $2,000 laptops.
ExtremeTech said that Razer acknowledged this issue and has released firmware updates to patch this vulnerability and will no longer ship laptops with Manufacturing Mode enabled. Devices that have already been compromised, however, won't be helped by the firmware updates. Fingers crossed, eh?
There is some good news, which is that if this vulnerability truly matches CVE-2018-4251, it shouldn't put devices at risk of initial compromise. Malware has to find its way onto a system and gain administrator privileges before it can exploit this vulnerability to wreak the havoc Fox described in his advisory.