Login Sign Up

CVE-2019-15522

9.8 CRITICAL

📋 TL;DR

CVE-2019-15522 is a security bypass vulnerability in LINBIT csync2 that allows attackers to establish unencrypted connections even when SSL/TLS is required by configuration. This affects all systems running csync2 through version 2.0 that have SSL/TLS configured for secure synchronization. The vulnerability enables man-in-the-middle attacks and data interception.

💻 Affected Systems

Products:
  • LINBIT csync2
Versions: All versions through 2.0
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ✅ No
Notes: Only affects configurations where SSL/TLS is explicitly required in csync2 configuration files. Default installations without SSL/TLS configuration are not vulnerable.

📦 What is this software?

Csync2 by Linbit

View all CVEs affecting Csync2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can intercept and manipulate synchronization data between nodes, potentially injecting malicious content, stealing sensitive information, or disrupting cluster operations.

🟠

Likely Case

Data transmitted between csync2 nodes could be intercepted and read by unauthorized parties, compromising confidentiality of synchronized data.

🟢

If Mitigated

With proper network segmentation and additional encryption layers, impact is limited to potential service disruption rather than data compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to csync2 daemon port (default 30865) and ability to intercept or manipulate traffic between nodes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 416f1de878ef97e27e27508914f7ba8599a0be22

Vendor Advisory: https://github.com/LINBIT/csync2/commit/416f1de878ef97e27e27508914f7ba8599a0be22

Restart Required: Yes

Instructions:

1. Update csync2 to version after commit 416f1de. 2. Recompile from source if using custom build. 3. Restart csync2 daemon on all nodes. 4. Verify SSL/TLS enforcement is working.

🔧 Temporary Workarounds

Network Segmentation

linux

Isolate csync2 traffic to trusted network segments using firewall rules

iptables -A INPUT -p tcp --dport 30865 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 30865 -j DROP

VPN Tunnel

linux

Encapsulate csync2 traffic within VPN tunnels for additional encryption

# Configure OpenVPN or WireGuard between csync2 nodes

🧯 If You Can't Patch

  • Implement strict network access controls to limit csync2 traffic to trusted IPs only
  • Deploy network-based IDS/IPS to detect and block unencrypted csync2 connections

🔍 How to Verify

Check if Vulnerable:

Check csync2 version with 'csync2 --version' and verify if SSL/TLS is configured in /etc/csync2/csync2.cfg or similar config files

Check Version:

csync2 --version

Verify Fix Applied:

Attempt to establish unencrypted connection to csync2 daemon when SSL/TLS is configured - connection should be rejected

📡 Detection & Monitoring

Log Indicators:

  • Unencrypted connection attempts to csync2 daemon
  • SSL/TLS handshake failures when SSL required

Network Indicators:

  • Unencrypted traffic on csync2 port 30865 when SSL/TLS should be enforced
  • Missing TLS handshakes between csync2 nodes

SIEM Query:

source_port:30865 AND NOT tls.version:*

📊 Metadata

CVE ID: CVE-2019-15522
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 20, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON