possible threat and data lost via offical ixsystems plugin syncthing

gammaburst

gammaburst

Cadet
Joined
Jan 3, 2021
Messages
5
Hi all,
I'm installed the official syncthing plugin via truenas gui two days ago.
I was trying to fix an issue with the syncthing management page, when I stumbled upon this.
I did not configure any syncthing clients. I only changed the syncthing webgui from http to https and activated password login.
Please can somebody double check my steps and give me advice what to do now?
If I'm right, all people using this plugin are in danger to copy their data illegal!
Here my steps to reproduce:
- install and start syncthing plugin, open a shell inside the jail and use: netstat -p tcp
area__taz_210104004016.png

as you can see here, there is an ongoing connection to IPv4 85.195.234.18 at port 22067 (dynamic syncthing port)

I connected via browser to the IP and got this
area__taz_210104004512.png

about the provider I got this information

route: 85.195.224.0/19
descr: Init7 (Switzerland) Ltd.
descr: St. Georgen-Strasse 70
descr: CH-8400 Winterthur
origin: AS13030
mnt-by: MNT-INIT7-NOC
member-of: RS-INIT7
created: 2014-12-12T14:49:39Z
last-modified: 2014-12-12T14:49:39Z

I do not know the provider, the NAS behind the IP and did not configure the plugin to do so!
Hopefully I'm completely wrong, but it looks like a backdoor in the official plugin to steal data. o_O
 
Kris Moore

Kris Moore

SVP of Engineering
Administrator
Moderator
iXsystems
Joined
Nov 12, 2015
Messages
1,471
I took a quick look here, and it does appear that syncthing makes a bunch of outgoing TCP connections. Syncthing does appear to support talking to a bunch of relay/discovery servers by design though, so this is somewhat expected IMHO:

Syncthing Discovery Server — Syncthing documentation

docs.syncthing.net docs.syncthing.net

Syncthing Relay Server — Syncthing documentation

docs.syncthing.net docs.syncthing.net

For kicks I did audit the plugin sources, its super small, so not much to look at. Nothing obviously wrong there, its just running stock syncthing. Suggest maybe posting something to their forums / help to confirm this behavior is expected?
 
gammaburst

gammaburst

Cadet
Joined
Jan 3, 2021
Messages
5
Thank you for your investigation. I will follow your advice and asked the syncthing forum, I'm eager to hear their answer.
I'll keep you informed.

IMHO
Generally I would not expect a hack which is so simple to figure out, on the other hand it's also not nice to establish this kind of connections and these exposed NAS in the internet, should not really be an challenge to hack for ambitious pros, which will lead to an attack vector in everybodies infrastructure running syncthing.
 
You must log in or register to reply here.

Similar threads

ibarton
  • Locked
syncthing Plugin Won't Start.
Replies
2
Views
1K
ibarton
ibarton
J
syncthing plugin installation fails and causes FreeNAS-11.3-RELEASE to reboot
Replies
0
Views
1K
jefftee
J
D
Syncthing plugin installation
Replies
5
Views
4K
micheldiz
micheldiz
Drifting
Having trouble installing Syncthing, and other installed plugin not showing as installed?
Replies
3
Views
1K
cupricreki
cupricreki
V
Freenas & syncthing on virtualbox test = ipv4 network not funcationing
Replies
2
Views
2K
virt
V
Top