Seriously? Expiring security certificates on iCUE 3.x? (AKA "curse of the missing dashboard info")

[cmpxchg8b]

So I recently noticed that my AIOs basically stopped working on my workstation a few days ago. I fired up my system and was immediately greeted with two "dead" AIOs- that is to say, the LED rings were completely black and nothing seemed to be working. The fans in my system were still spinning and the pumps were running, so I figured it must have been an iCUE issue (as per usual).

Open iCUE, go to the dashboard... Oh look, all my system info has vanished. Looks like iCUE can't read the package temperature of my processors anymore because iCUE isn't reporting those widgets as being available. This is, of course, the exact same issue everyone else is having with the older versions of iCUE. I was previously on 3.x as I got tired of rearranging widgets and dealing with the general wonkyness of iCUE 4.x, but it seems like 3.x actually has a built-in suicide pill programmed into it.

While debugging the problem, I found out that the issue more or less stems from the fact that Corsair.Service.exe was unable to launch Corsair.Service.CpuIdRemote64.exe. Running the service binary in the command prompt spat out the following debug information:
 

Quote

 

2021-12-16 22:04:56.7810 | 5 | MEGACHONK | 3.38.0.4 | CertificateValidator | ->
System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN="Corsair Memory, Inc.", O="Corsair Memory, Inc.", L=Fremont, S=California, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

   at System.IdentityModel.Selectors.X509CertificateChain.Build(X509Certificate2 certificate)
   at System.IdentityModel.Selectors.X509CertificateValidator.ChainTrustValidator.Validate(X509Certificate2 certificate)
   at CorsairLink4.Module.Common.Certificates.CertificateValidator.ValidateCertificate(X509Certificate certificate)

 

Upon further investigation, it seems as though Corsair.Service.CpuIdRemote.exe and Corsair.Service.CpuIdRemote64.exe were "signed" with a security certificate that expired on exactly 12/16/2021. This completely renders all previous versions of iCUE 3.x inoperable, unless you launch the CPUID process manually since Corsair.Service.exe will refuse to do it due to the above error.

So... how do I word this politely...

What the hell, Corsair?

Did you seriously write your flagship software to actually EXPIRE after a few years? Why does my CPU cooler software require ANY sort of "certificates" to function, other than maybe a certificate or two for validating the authenticity of update packages?

This is, quite frankly, one of the most absurd things I have ever seen in over 30+ years of building computers and writing software. The implications of this are absolutely stunning. I was lucky in that support for my coolers wasn't dropped with iCUE 4.x, but if they were I'd be potentially screwed right now. I see iCUE 4.x has the exact same certificates in it, only they'll expire on 12/15/2024. What do I do if iCUE 5.x is out by then and drops support for my coolers? iCUE 4.x will simply self destruct the same way iCUE 3.x did, which is completely and utterly unacceptable.

Honestly, I don't know if this is a request for tech support or just a way for me to call ya'll out on your bullshit, but I just wanted to close with this- I no longer trust iCUE, and I no longer trust your entire ecosystem of digital products that rely on it. This is a serious design oversight in the foundations of iCUE, and if I didn't know any better I'd say this was a perfect example of planned obsolescence.

I will be replacing my Corsair AIO coolers ASAP with Noctua heatsinks and uninstalling iCUE as soon as I can. I rely on this workstation as a tool to make money, and it was a mistake to install such a piece of technology that could potentially lose features over an expired security certificate.

I will also think twice about buying another Corsair product in the future that's smarter than a dumb PSU or a PC case- and quite frankly, if I find another manufacture who offers a better quality product in those two categories between now and my next computer, I won't be buying any new Corsair products at all.

Good day.

-CMPX

[Corsair James]

Thanks for bringing this to our attention.

All certificates will eventually expire, and since iCUE 3.x is discontinued software, this was overlooked as all of our efforts is to support iCUE 4.x. This isn't an intentional "suicide pill" as you're claiming - its just a consequence of discontinued software that has no development resources allocated to support it.

I'll forward this issue to our devs and see what we can do about updating the certificate in iCUE 3 for those users who choose to remain on the legacy platform but I highly encourage everyone to update to iCUE 4 since we've already built in support for all of the legacy coolers.

[kcnicho]

Yep, same issue I just had.  Apparently I was using iCUE version 3.38.61, and all the sudden I had no lights indicating my temperatures, and no temperature sensor selection.  Your explanation sounds reasonable as to what happened.  Pretty scary if you are relying on this for anything other than "pretty colors".

Interestingly, when I click on "Check for Updates", I get "You are using the latest version of the application".  So, I get that maybe this is the latest version of 3.x, but how about a little help, maybe saying that 3.x is unsupported, and recommending a link to 4.x?

I share the sentiment of the OP, c'mon Corsair, you are a $2 billion capitalization company, it's not like you are a mom & pop operation.

[Pocah]

18 hours ago, Corsair James said:

Thanks for bringing this to our attention.

All certificates will eventually expire, and since iCUE 3.x is discontinued software, this was overlooked as all of our efforts is to support iCUE 4.x. This isn't an intentional "suicide pill" as you're claiming - its just a consequence of discontinued software that has no development resources allocated to support it.

I'll forward this issue to our devs and see what we can do about updating the certificate in iCUE 3 for those users who choose to remain on the legacy platform but I highly encourage everyone to update to iCUE 4 since we've already built in support for all of the legacy coolers.

I am seriously outraged by this reply, 

Corsair would actually send out hardware and software aimed at PC cooling that has an expiry date? Are you idiots? On the 17th My three PC's failed to detect any sensors and my brand new Z690 nearly completely melted down because all the fans failed. And I find out that some idiot thought that iCEU committing suicide was a good idea? Seriously?

The reason people don't update iCEU is because Corsair can't get it's act together and delivery reliable updates. And damn me, we stick with something that works and you screw us some other way! What happens with PC's that haven't got an internet connection? ( so they haven't updated ). Are they melting as we speak? 

I mean seriously. The level of stupidity here is unbelievable. RULE 1 -  Never ever, ever must cooling systems fail. Not ever. And to discover you did this kinda deliberately, I am lost for words. 

I suppose 4 has an expiry date too. 

That's it. Really. I am never trusting you guys again.  Corsair can mange the lights because you are obviously utterly incompetent when it comes to handling anything of importance. 

Yep, I am furious. 

 

 

 

 

Edited December 19, 2021 by Pocah

[cmpxchg8b]

18 hours ago, Corsair James said:

Thanks for bringing this to our attention.

All certificates will eventually expire, and since iCUE 3.x is discontinued software, this was overlooked as all of our efforts is to support iCUE 4.x. This isn't an intentional "suicide pill" as you're claiming - its just a consequence of discontinued software that has no development resources allocated to support it.

I'll forward this issue to our devs and see what we can do about updating the certificate in iCUE 3 for those users who choose to remain on the legacy platform but I highly encourage everyone to update to iCUE 4 since we've already built in support for all of the legacy coolers.

Honestly, this is a pretty unacceptable answer.

iCUE still works if you launch the relevant processes manually, it's simply that Corsair.Service.exe refuses to launch them for you due to the certificate validation failing. Furthermore, I've noticed that if you outright remove the certificates from Corsair.Service.exe, it seems as though the certificate validation code is hardwired to always return true, therefore the CPUID and DisplayAdapter endpoints will always be launched properly exactly as they were before.

I'm struggling to figure out exactly what sort of "user security" these certificates are supposed to provide, other than causing older versions of iCUE to stop functioning. You're clearly not using them to encrypt communication between the various iCUE processes (given that things will spring back to life if you launch the relevant processes by hand), and given that Corsair.Service.exe completely skips certificate validation if the certificates are outright removed on it- I can see absolutely no threat model that this is supposed to protect against. For all intents and purposes, this either appears to be a *very* weak attempt at securing the iCUE process infrastructure *or* a very blatant attempt at ensuring older versions of iCUE cease to function eventually.

I would personally prefer that these processes simply not be signed at all, since if a bad actor has write access to Program Files, it's already game over and the entire system cannot be trusted anyways. Whatever the end goal was here, it has caused numerous setups worldwide to simply stop working and that is a pretty bad look for Corsair when you're trying to market critical hardware components like CPU coolers and such to end users.

I may have been a tad harsh in my original post and I apologize for that, but thus far I am still confused as to why iCUE was attempting to validate these components in the first place, especially when it's so trivial to bypass the checks and validation failures by simply removing the offending certificate. The only thing this functionality has done thus far is to break various builds, and from what I've seen iCUE 4.x (which is under active development) has the exact same kind of logic built into it.

-CMPX

[KillerCode]

Completly Unnaceptable!

I have a Wireless Void Pro RGB Headset, and not only I can have the iCue 4 to use it together with my cooler, memories and case, but now I'm not even able to use version 3!

You highly recommend to update to 4 but why should I update it when I paid 100€ for a surround headset that will become a stereo headset on the icue?

I feel that I have been ripped off? I have the same brand tech that is incompatible, and now I AM LOSING FEATURES!?!?! because new version doesn't support it.... please!

[KillerCode]

The least you can do is provide:
a) integration of the headset to icue 4
b) create a standalone software to still support the headset
c) keep your software retro compatible....

That's it... not a single penny more for corsair on my behalf... there are plenty of cheaper and better brands out there!

[DrknMonkey]

Yes its 1000% Unnaceptable!

There is no need to talk about it. When I buy Hardware where Software is needed, then i expect that this Sofware work until the end of my Life and nothing else. It has always been like this ... even Software that is more than 20 Years old runs without Problems. In addition, this Software is important for the Cooling to work! And why should I update if I am satisfied with something as it is? Especially because Icue 4.x doesn't work on my computer. Corsair should fix this Problem quickly and put a "new" Legacy Version online. Or is this a planned Sofware Obsolescence? People stay tuned, and dont let this Problem going under!

Strange is... the last Corsair Link Software 4.9.9.3 has also an expired Certification (16.12.2021). But its Work fine....

@cmpxchg8b

Thanks for finding out and posting this Problem👍.

Edited December 19, 2021 by DrknMonkey

[DrknMonkey]

@cmpxchg8b

Hey,

I have fixed the Certification Problem here 😀.

All what u must do is to remove the Cetifications from the follow Files in the Corsair Folder:

- Corsair.Service.CpuIdRemote

- Corsair.Service.CpuIdRemote64

- Corsair.Service.DisplayAdapter

- Corsair.Service

You can do this easy with the the Program "FileUnsigner".

I have now my System Info Back in the Dashboard, and all Temperatures for the CPU, GPU, Motherboard etc... 👍

Good luck, and let's hear if it worked for you too 😎

[andreaz70]

On 12/18/2021 at 11:07 PM, Corsair James said:

Thanks for bringing this to our attention.

All certificates will eventually expire, and since iCUE 3.x is discontinued software, this was overlooked as all of our efforts is to support iCUE 4.x. This isn't an intentional "suicide pill" as you're claiming - its just a consequence of discontinued software that has no development resources allocated to support it.

I'll forward this issue to our devs and see what we can do about updating the certificate in iCUE 3 for those users who choose to remain on the legacy platform but I highly encourage everyone to update to iCUE 4 since we've already built in support for all of the legacy coolers.

And kick a fully functional headset to hell... Thanks for that! 😞

[Pocah]

Well, that's it. I have bought the necessary components to take all fan control away from the Commander Pro's and iCEU software. On two PC's I am removing iCEU altogether. On the third PC iCEU will be used to control a few led strips. I have had it with you Corsair. Time and time again you show that you simply are not able to write critical software. I kept on giving you chances but again and again you fail. Someone must have approved that date. It is not a random thing. It is beyond belief that someone sanctioned a date that could be actually reached. Why on earth was the date not set to 2099?

Rule one in software  is that critical system control absolutely must not fail and heaven forbid if it does then it MUST fails safe! Of course you get bugs, but to have a certificate expire is just beyond stupid - it is utterly incompetent.  Why does iCEU not have a watchdog? It should do. I will never trust you again. 

[Corsair James]

Hi everyone,

I would like to provide a quick update:

A.) We will deploy an immediate solution in the next week with an update to iCUE 3.38 that will contain new certificates with an extended expiration date. The reason for this is to provide a solution ASAP so everyone can regain the proper functionality of their devices on the legacy platform.

B.) In January, we will deploy 3.39 which will contain additional fixes that allow the functionality of devices to persist even after expiration of the certificates. We have identified the root cause of the problem and this can be solved easily but will take additional time for testing. This is why I am moving forward with #1 above as the stopgap solution for now.

As for some of the questions, I can do a quick FAQ:

1.) Why do certificates have an expiration date /  Why can't the dates of the expiration be in the far distant future?

Digital certificates cannot be infinitely persisting nor can expiration dates be far into the apocalyptic future  - it is also not a CORSAIR process but rather one dictated by Windows App Development.

2.) Why did this issue happen?

We have identified a bug that impacted the performance when certificates expire. We now have a resolution in place to prevent this so we do not have any degradation of performance when the new certificates expire. However it is expected that by the time this happens, iCUE 3 will have long been sunset by then.

3.) Was this intentional to force people to upgrade?

No - it was simply an oversight and we apologize for the inconvenience. We missed this, the community caught it and we are very appreciative of the quick alert. We will fix this ASAP in both iCUE 3 and iCUE 4.

4.) Will there be ongoing support for all remaining legacy devices of iCUE 3?

Yes but I do not have an ETA yet on when this happens. It is planned though to expand support for additional legacy devices in the future like what we did for Hydro Series coolers.

 

[ram1220]

I do thank you for you time to explain the situation. However Corsair has lost my trust. I have already solved the issue by deleting the certificates. I appreciate the community's help in doing this. I will be keeping my system as is.

[SpeedyV]

I feel sorry for the people that have not learned that Corsair iCue is a bloated, buggy mess. The certificate expiration oversite is just one more reason that I am sure that I made the right decision by removing iCue from all of my systems. I still have 2 rigs with Commander Pros and Lighting Node Pros, and my latest system has 2 Lighting Node Cores in it, but I don't use iCue to control any of them. I gave up on iCue long ago and since then it only seems to have gotten worse. More bloat, more bugs, expiring certificates, dropping support for a large list of their own fairly recent products, the list goes on.

[washburn100]

I stumbled across this thread through reddit. I have a Nexus and it stopped reporting temperatures. I assumed it was because I upgraded to windows 11. My questions are:

1) Why does the software say I am on the lastest version when clearly I am not?

2) I received no notification from Corsair. Their product stopped working and they knew it. They have no problem sending me e-mails to buy more stuff, they have my data, know who I am and target market me. 

3) no more Corsair product for me.

[Corsair Nick]

25 minutes ago, washburn100 said:

I stumbled across this thread through reddit. I have a Nexus and it stopped reporting temperatures. I assumed it was because I upgraded to windows 11. My questions are:

1) Why does the software say I am on the lastest version when clearly I am not?

2) I received no notification from Corsair. Their product stopped working and they knew it. They have no problem sending me e-mails to buy more stuff, they have my data, know who I am and target market me. 

3) no more Corsair product for me.

If you are on iCUE 3.38.x, we have restricted updates and update notifications to only those that are relevant to iCUE 3.x.  This was done so that customers that are still using legacy devices that are no longer supported on iCUE 4.x will not be prompted to update.  Once the iCUE 3.39.x release is available, anyone on iCUE 3.38.x should receive a notification in app.

[Shinigamiduo]

1 hour ago, Corsair Nick said:

If you are on iCUE 3.38.x, we have restricted updates and update notifications to only those that are relevant to iCUE 3.x.  This was done so that customers that are still using legacy devices that are no longer supported on iCUE 4.x will not be prompted to update.  Once the iCUE 3.39.x release is available, anyone on iCUE 3.38.x should receive a notification in app.

I'd love to know where this 3.39.x release is.  Not only is my software not showing anything higher than 3.38.61, but the downloads page on your own website doesn't have a 3.x version higher than that one.  

 

So where is it?

 

 

P.s. I'm with the OP and the others above who are not going to be trusting Corsair products in critical components, and also with the sentiment that critical components should never fail because of a software security certificate.  I'm lucky that my Corsair AIO and RAM have no RBG and therefore weren't affected, but what alerted me to the issue was the custom lighting profile on my keyboard that allows me to discern the temps of my CPU and GPU by glancing at it.  For shame Corsair, and you may say it's not planned obsolescence, but that's what it looks like from our point of view, and trust is easily lost but very much harder to earn.

[Technobeard]

7 minutes ago, Shinigamiduo said:

I'd love to know where this 3.39.x release is.  Not only is my software not showing anything higher than 3.38.61, but the downloads page on your own website doesn't have a 3.x version higher than that one.  

 

So where is it?

 

Per James:

On 12/21/2021 at 6:36 PM, Corsair James said:

B.) In January, we will deploy 3.39

[Corsair James]

Everyone,

I have a version of 3.38 that will contain the updated certificates - this still needs to be validated by our internal QA team but in the interest of giving everyone a chance to get their full functionality back, I am sharing it here: https://corsair-my.sharepoint.com/:u:/p/jamesca/EXTEaMBCs0ZFsYAiSa_yg5wBwBuX_SBtJYi_oxRZaYnrVA?e=zpHg6e

Please note this is still considered beta until we have done a full regression. 

[Conver]

@Corsair James pure love <3

[Pocah]

I don't think anyone would believe that Corsair did this deliberately but what I don't understand is why anyone would tempt fate by setting an expiry date that was "on the horizon". Anyone with any sense would not do that. 
Anyway, too late. I have removed two of my commander pro's and have already bought the parts to replace the third. Sorry Corsair but you screwed up just one too many times. Without iCEU on my PC's I am no longer tied to Corsair hardware either. So you really do lose on this. 

[KingJerky]

@Corsair James That worked like a champ.  Thank you for sharing it in advance of official release.

[DevBiker]

On 12/28/2021 at 5:05 AM, Pocah said:

I don't think anyone would believe that Corsair did this deliberately but what I don't understand is why anyone would tempt fate by setting an expiry date that was "on the horizon". Anyone with any sense would not do that.

You don't understand how certificates and their expiration actually works, do you?

Corsair doesn't set the expiration. They get the certificate from a third party certificate authority. They set the expiration. The expiry is always there and completely outside the control of the organization that it is certifying. Otherwise, certificates would be absolutely, positively useless for their intended purpose.

[mroselli]

First of all, Corsair receives the certificates and KNOWs when it expires. So that's not really an excuse. Second - I have this problem. My RGB are failing and flashing ever since the certificate expired.

Is there a list of devices 4.0 supports?

[c-attack]

8 hours ago, mroselli said:

Is there a list of devices 4.0 supports?

Short list of unsupported devices in first post. 
https://forum.corsair.com/forums/topic/168741-icue-4-unsupported-products/
 

 

Edited January 7, 2022 by c-attack