CVE-2022-46165 - Syncthing Stored Cross Site Scripting Vulnerability and How to Mitigate It

Syncthing, an open-source continuous file synchronization program, has discovered a vulnerability in versions prior to 1.23.5 that allows malicious users to execute arbitrary HTML and JavaScript through file and device names. This can compromise the security of the entire synchronization network and exploit the webUI with a stored cross-site scripting attack. The issue has been fixed in version 1.23.5, and users are urged to upgrade. In this post, we will discuss the details of the vulnerability, provide code snippets displaying the issue, and provide links to original references to help users mitigate this risk.

Overview

CVE-2022-46165 affects Syncthing versions before 1.23.5, where a compromised device with shared folders can sync malicious files containing arbitrary HTML and JavaScript in their names. When another device owner views the shared folder settings and hovers their mouse over the latest sync, the malicious script could execute, potentially altering shared folder settings or automatically adding devices.

Additionally, adding a new device with a malicious name could embed HTML or JavaScript within the page, opening the webUI to a stored cross-site scripting attack. The issue was addressed in version 1.23.5, and users are advised to upgrade as soon as possible. Users who can't upgrade should avoid sharing folders with untrusted users.

Suppose a malicious user shares the following file as part of their shared folder

"<img src=1 onerror='alert(\"XSS\")'>.txt"

When another device owner hovers over the latest sync, the JavaScript alert with "XSS" will be executed.

Exploit Details

The exploited vulnerability is classified as a stored cross-site scripting attack (XSS), which means the malicious code is stored within the web application and executed when the affected page is rendered in the user's browser. In this case, the arbitrary HTML or JavaScript is injected through the file or device name, thus compromising the entire synchronization network.

Original References

- Syncthing official GitHub repository containing the relevant issue and fix: https://github.com/syncthing/syncthing/issues/8136
- Syncthing forum post discussing the vulnerability: https://forum.syncthing.net/t/security-notice-cve-2022-46165/19713

How to Mitigate

To mitigate this vulnerability, users should immediately upgrade to Syncthing version 1.23.5, which includes the fix for CVE-2022-46165. Upgrading is the best way to ensure that your devices are protected against this security risk.

For users who cannot upgrade, avoid sharing folders with untrusted users to minimize the risk of this vulnerability affecting your devices. Stay vigilant when receiving new shared folders or devices, and ensure that you trust the source before allowing access to your synchronization network.

Conclusion

The Syncthing stored cross-site scripting vulnerability (CVE-2022-46165) poses a significant risk to users due to the potential to execute arbitrary HTML and JavaScript through file and device names. It is crucial that users upgrade to version 1.23.5 immediately to mitigate this risk. If upgrading is not feasible, users must be cautious when sharing folders or devices with others, ensuring they trust the source before granting access.

Timeline

Published on: 06/06/2023 18:15:00 UTC
Last modified on: 06/16/2023 04:15:00 UTC