Описание
Crash due to malformed relay protocol message
Impact
-
syncthingcan be caused to crash and exit if sent a malformed relay protocol message message with a negative length field. -
The relay server
strelaysrvcan be caused to crash and exit if sent a malformed relay protocol message with a negative length field.
At no point is sensitive data exposed or liable to be altered due to this issue. Sensitive data is never exposed to relay operators. Syncthing itself would need to be lured to connect to a malicious relay server in order to exploit the issue.
Patches
Fixed in version 1.15.0.
Workarounds
-
No known workaround for
strelaysrv. -
syncthingcan be configured to not use relays, or to only use specific, trusted relays. If Syncthing is used in a closed environment or with relaying disabled, i.e., it does not communicate with unknown relays, Syncthing is not vulnerable.
For more information
If you have any questions or comments about this advisory, please discuss it on the forum.
Thanks to Wojciech Paciorek for discovering and reporting this issue.
Ссылки
- https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
- https://nvd.nist.gov/vuln/detail/CVE-2021-21404
- https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97
- https://github.com/syncthing/syncthing/releases/tag/v1.15.0
- https://pkg.go.dev/github.com/syncthing/syncthing
Пакеты
github.com/syncthing/syncthing
< 1.15.0
1.15.0
Связанные уязвимости
Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.
Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.
Syncthing is a continuous file synchronization program. In Syncthing b ...
