Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay     server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length     field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a     malicious relay server when attempting to join the relay. Relay joins are essentially random (from a     subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's     likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0. (CVE-2021-21404)

Note that Nessus relies on the presence of the package as reported by the vendor.

This update for syncthing fixes the following issues :

Update to 1.15.0/1.15.1

  - This release fixes a vulnerability where Syncthing and     the relay server can crash due to malformed relay     protocol messages (CVE-2021-21404); see     GHSA-x462-89pf-6r5h. (boo#1184428)

  - This release updates the CLI to use subcommands and adds     the subcommands cli (previously standalone stcli     utility) and decrypt (for offline verifying and     decrypting encrypted folders).

  - With this release we invite everyone to test the     'untrusted (encrypted) devices' feature. You should not     use it yet on important production data. Thus UI     controls are hidden behind a feature flag. For more     information, visit:
    https://forum.syncthing.net/t/testing-untrusted-encrypte     d-devices/16470 

Update to 1.14.0

  - This release adds configurable device and folder     defaults.

  - The output format of the /rest/db/browse endpoint has     changed. 

update to 1.13.1 :

  - This release adds configuration options for min/max     connections (see     https://docs.syncthing.net/advanced/option-connection-li     mits.html) and moves the storage of pending     devices/folders from the config to the database (see     https://docs.syncthing.net/dev/rest.html#cluster-endpoin     ts).

  - Bugfixes

  - Official builds of v1.13.0 come with the Tech Ui, which     is impossible to switch back from

update to 1.12.1 :

  - Invalid names are allowed and 'auto accepted' in folder     root path on Windows

  - Sometimes indexes for some folders aren't sent after     starting Syncthing

  - [Untrusted] Remove Unexpected Items leaves things behind

  - Wrong theme on selection

  - Quic spamming address resolving

  - Deleted locally changed items still shown as locally     changed

  - Allow specifying remote expected web UI port which would     generate a href somewhere

  - Ignore fsync errors when saving ignore files 

Update to 1.12.0

  - The 1.12.0 release

  - adds a new config REST API.

  - The 1.11.0 release

  - adds the sendFullIndexOnUpgrade option to control     whether all index data is resent when an upgrade is     detected, equivalent to starting Syncthing with
    --reset-deltas. This (sendFullIndexOnUpgrade=true) used     to be the behavior in previous versions, but is mainly     useful as a troubleshooting step and causes high     database churn. The new default is false.

  - Update to 1.10.0

  - This release adds the config option announceLANAddresses     to enable (the default) or disable announcing private     (RFC1918) LAN IP addresses to global discovery. 

  - Update to 1.9.0

  - This release adds the advanced folder option     caseSensitiveFS     (https://docs.syncthing.net/advanced/folder-caseSensitiv     eFS.html) to disable the new safe handling of case     insensitive filesystems. 

  - Fix Leap build by requiring at least Go 1.14

  - Prevent the build system to download Go modules which     would require an internet connection during the build

  - Update to 1.8.0

  - The 1.8.0 release

  - adds the experimental copyRangeMethod config on folders,     for use on filesystems with copy-on-write support.
    Please see     https://docs.syncthing.net/advanced/folder-copyrangemeth     od.html for details.

  - adds TCP hole punching, used to establish high     performance TCP connections in certain NAT scenarios     where only relay or QUIC connections could be used     previously.

  - adds a configuration to file versioning for how often to     run cleanup. This defaults to once an hour, but is     configurable from very frequently to never.

  - The 1.7.0 release performs a database migration to     optimize for clusters with many devices.

  - The 1.6.0 release performs a database schema migration,     and adds the BlockPullOrder, DisableFsync and     MaxConcurrentWrites folder options to the configuration     schema. The LocalChangeDetected event no longer has the     action set to added for new files, instead showing     modified for all local file changes.

  - The 1.5.0 release changes the default location for the     index database under some circumstances. Two new flags     can also be used to affect the location of the     configuration (-config) and database (-data) separately.
    The old -home flag is equivalent to setting both of     these to the same directory. When no flags are given the     following logic is used to determine the data location:
    If a database exists in the old default location, that     location is still used. This means existing     installations are not affected by this change. If     $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing. If     ~/.local/share/syncthing exists, use that location. Use     the old default location.

  - Update to 1.4.2 :

  - Bugfixes :

  - #6499: panic: nil pointer dereference in usage reporting

  - Other issues :

  - revert a change to the upgrade code that puts     unnecessary load on the upgrade server

  - Update to 1.4.1 :

  - Bugfixes :

  - #6289: 'general SOCKS server failure' since syncthing     1.3.3

  - #6365: Connection errors not shown in GUI

  - #6415: Loop in database migration 'folder db index     missing' after upgrade to v1.4.0

  - #6422: 'fatal error: runtime: out of memory' during     database migration on QNAP NAS

  - Enhancements :

  - #5380: gui: Display folder/device name in modal

  - #5979: UNIX socket permission bits

  - #6384: Do auto upgrades early and synchronously on     startup

  - Other issues :

  - #6249: Remove unnecessary RAM/CPU stats from GUI

  - Update to 1.4.0 :

  - Important changes :

  - New config option maxConcurrentIncomingRequestKiB

  - Replace config option maxConcurrentScans with     maxFolderConcurrency

  - Improve database schema

  - Bugfixes :

  - #4774: Doesn't react to Ctrl-C when run in a subshell     with -no-restart (Linux)

  - #5952: panic: Should never get a deleted file as needed     when we don't have it

  - #6281: Progress emitter uses 100% CPU

  - #6300: lib/ignore: panic: runtime error: index out of     range [0] with length 0

  - #6304: Syncing issues, database missing sequence entries

  - #6335: Crash or hard shutdown can case database     inconsistency, out of sync

  - Enhancements :

  - #5786: Consider always running the monitor process

  - #5898: Database performance: reduce duplication

  - #5914: Limit folder concurrency to improve performance

  - #6302: Avoid thundering herd issue by global request     limiter

  - Change the Go build requirement to a more flexible     'golang(API) >= 1.12'.

syncthing developers report :

syncthing can be caused to crash and exit if sent a malformed relay protocol message message with a negative length field.

The relay server strelaysrv can be caused to crash and exit if sent a malformed relay protocol message with a negative length field.

ID	Name	Product	Family	Severity
245272	Linux Distros Unpatched Vulnerability : CVE-2021-21404	Nessus	Misc.	high
149541	openSUSE Security Update : syncthing (openSUSE-2021-688)	Nessus	SuSE Local Security Checks	high
148520	FreeBSD : syncthing -- crash due to malformed relay protocol message (9ee01e60-6045-43df-98e5-a794007e54ef)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2021-21404

high

Tenable Plugins

high

high

high