Security update - Syncthing v0.12.14

Continuing the discussion from Upcoming security release of Go:

I’ve just pushed and built Syncthing v0.12.14. This build is built with Go 1.5.3, except for the Windows which is built using Go 1.6beta2. Go 1.5.3 / 1.6beta2 fixes the security issue described here, but the relevant part is:

Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.

On 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit. Nonetheless, everyone is strongly encouraged to upgrade.

For us, this should mean that an eavesdropper collecting a sufficient number of TLS handshakes (i.e. connection attempts) could potentially break the key and thus impersonate the device ID. This concerns keys generated on v0.12.4 or earlier - later versions generate EC keys which are not susceptible to this attack.

5 Likes

Updated for v0.12.14. This is the same code as v0.12.13, however the Windows build is done using the newly released Go 1.6beta2 that contains all the relevant fixes.

For non-Windows builds there is no difference at all between v0.12.13 and v0.12.14.

This topic was automatically closed after 7 days. New replies are no longer allowed.