Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg0NjItODlwZi02cjVo

Crash due to malformed relay protocol message

Impact

  1. syncthing can be caused to crash and exit if sent a malformed relay
    protocol message message with a negative length field.

  2. The relay server strelaysrv can be caused to crash and exit if sent
    a malformed relay protocol message with a negative length field.

At no point is sensitive data exposed or liable to be altered due to this
issue. Sensitive data is never exposed to relay operators. Syncthing itself
would need to be lured to connect to a malicious relay server in order to
exploit the issue.

Patches

Fixed in version 1.15.0.

Workarounds

  1. No known workaround for strelaysrv.

  2. syncthing can be configured to not use relays, or to only use specific,
    trusted relays. If Syncthing is used in a closed environment or with
    relaying disabled, i.e., it does not communicate with unknown relays,
    Syncthing is not vulnerable.

For more information

If you have any questions or comments about this advisory, please discuss it on the forum.

Thanks to Wojciech Paciorek for discovering and reporting this issue.

Permalink: https://github.com/advisories/GHSA-x462-89pf-6r5h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg0NjItODlwZi02cjVo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 3 years ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-x462-89pf-6r5h, CVE-2021-21404
References: Repository: https://github.com/syncthing/syncthing
Blast Radius: 16.8

Affected Packages

go:github.com/syncthing/syncthing
Dependent packages: 15
Dependent repositories: 175
Downloads:
Affected Version Ranges: < 1.15.0
Fixed in: 1.15.0
All affected versions: 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 0.8.15, 0.8.16, 0.8.17, 0.8.18, 0.8.19, 0.8.20, 0.8.21, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.10.15, 0.10.16, 0.10.17, 0.10.18, 0.10.19, 0.10.20, 0.10.21, 0.10.22, 0.10.23, 0.10.24, 0.10.25, 0.10.26, 0.10.27, 0.10.28, 0.10.29, 0.10.30, 0.10.31, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.11.16, 0.11.17, 0.11.18, 0.11.19, 0.11.20, 0.11.21, 0.11.22, 0.11.23, 0.11.24, 0.11.25, 0.11.26, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.12.14, 0.12.15, 0.12.16, 0.12.17, 0.12.18, 0.12.19, 0.12.20, 0.12.21, 0.12.22, 0.12.23, 0.12.24, 0.12.25, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7, 0.13.8, 0.13.9, 0.13.10, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.14.11, 0.14.12, 0.14.13, 0.14.14, 0.14.15, 0.14.16, 0.14.17, 0.14.18, 0.14.19, 0.14.20, 0.14.21, 0.14.22, 0.14.23, 0.14.24, 0.14.25, 0.14.26, 0.14.27, 0.14.28, 0.14.29, 0.14.30, 0.14.31, 0.14.32, 0.14.33, 0.14.34, 0.14.35, 0.14.36, 0.14.37, 0.14.38, 0.14.39, 0.14.40, 0.14.41, 0.14.42, 0.14.43, 0.14.44, 0.14.45, 0.14.46, 0.14.47, 0.14.48, 0.14.49, 0.14.50, 0.14.51, 0.14.52, 0.14.53, 0.14.54, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.14.0
All unaffected versions: 1.15.0, 1.15.1, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.19.0, 1.19.1, 1.19.2, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.21.0, 1.22.0, 1.22.1, 1.22.2, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.23.6, 1.23.7, 1.24.0, 1.25.0, 1.26.0, 1.26.1, 1.27.0, 1.27.1, 1.27.2