Login Sign Up

CVE-2021-21404

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers to crash Syncthing file synchronization software and its relay server by sending messages with negative length fields. Both Syncthing clients and strelaysrv relay servers are affected. The crash causes denial of service, though Syncthing typically restarts automatically.

💻 Affected Systems

Products:
  • Syncthing
  • strelaysrv
Versions: All versions before 1.15.0
Operating Systems: All platforms running Syncthing
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations using relay functionality are vulnerable. Relay usage is common for NAT traversal.

📦 What is this software?

Syncthing by Syncthing

View all CVEs affecting Syncthing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service through repeated crashes, potentially disrupting file synchronization services and relay infrastructure.

🟠

Likely Case

Temporary service disruption with automatic restart, causing brief synchronization interruptions.

🟢

If Mitigated

Minimal impact with proper patching and network controls in place.

🌐 Internet-Facing: HIGH - Relay servers are internet-facing by design and vulnerable to unauthenticated attacks.
🏢 Internal Only: MEDIUM - Internal Syncthing clients could be affected if connecting to malicious relays.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending specially crafted messages to vulnerable endpoints. Public advisory includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.0

Vendor Advisory: https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h

Restart Required: Yes

Instructions:

1. Download Syncthing 1.15.0 or later from official sources. 2. Stop Syncthing service. 3. Replace binary with patched version. 4. Restart service. For strelaysrv: update to version included with Syncthing 1.15.0+.

🔧 Temporary Workarounds

Disable relay usage

all

Configure Syncthing to not use relay servers

Edit config.xml: set <relaysEnabled>false</relaysEnabled>
Or use GUI: Settings > Connections > uncheck 'Use relays'

Network filtering

all

Block access to relay servers at network level

Firewall rule: block outbound to relay.syncthing.net:443
Firewall rule: block inbound/outbound to port 22067 (relay protocol)

🧯 If You Can't Patch

  • Implement network segmentation to isolate Syncthing traffic
  • Monitor for crash/restart patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check Syncthing version: syncthing --version. If version is below 1.15.0, system is vulnerable.

Check Version:

syncthing --version

Verify Fix Applied:

Confirm version is 1.15.0 or higher and test relay connectivity remains functional.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected Syncthing process crashes
  • Restart messages in logs
  • Connection errors to relay servers

Network Indicators:

  • Malformed packets with negative length fields to port 22067
  • Unusual traffic patterns to relay infrastructure

SIEM Query:

process:syncthing AND (event:crash OR event:restart) OR network.dst_port:22067 AND packet_size:<0

📊 Metadata

CVE ID: CVE-2021-21404
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20
Published: April 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21404, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)