Patrick Kolla-ten Venne

Security issues in Synergy 2

9 posts in this topic

Hello,

I've found some private data leaks and major security issues with the Synergy 2 software about two months ago and tried to get into contact with Symless. Their responsive was quite negative, I was locked out of my Symless account (that includes a valid Synergy 1 Pro license I can no longer access) and told certain PII would have been removed from public servers (it's still there). Both Nick Bolton and Malcolm Lowe rejected to deal with my feedback.

As a long term Synergy user (at least 12 years) and a security researcher, I'm in a difficult situation here. I gave Symless at least six weeks to address any security issues, which should be sufficient time in terms of a responsible disclosure, but since they did not address the issues I found, publishing them would make it even more obvious to crooks how Synergy users can be attacked.

I hope that this public post might change Nicks or Malcolms opinion so that the security issues can be addressed before my research results get published. And if other fellow users of Synergy are interested in their security, I recommend to ask for Symless' stance on privacy and security reports.

Best regards,
Patrick Kolla-ten Venne
Safer-Networking Ltd.

Share this post


Link to post
Share on other sites

I know Symless is working on a number of security and other issues (including removing the public-internet access requirement) for 2.1. It might be worthwhile holding off your public disclosure until we get confirmation on what's being addressed there, and then making your decision as to what you want to publish. Just a suggestion.

Share this post


Link to post
Share on other sites

Thanks for your reply :)

I had to buy another license to be able to post this reply, since I was not able to log in again, which might be due to my account having been deleted as a consequence of the communication six weeks ago (and I might have only been able to post because cookies still identified me as logged in, which would be another issue). The newly created account doesn't list my Synergy 1 Pro license any more though, so it's still lost.

The review paper draft I sent them was about 30 pages maybe; I'm at 90 pages now, with more important issues that they're not even aware about since they simply deleted my account and stopped communicating, and the proof of concept of one exploit not even been written and explained in there. Plus, they confirmed they deleted certain PII they made public, but it's still online even six weeks later.

I certainly would hold back if there had been proper communication and a will to improve things, but blocking a loyal long time user that was trying to provide help in closing security issues is sounding more like an attempt to cover up problems than an attempt to improve things for the next release. That's why I started this thread - to get a feeling if they've changed their negative attitude and it might be worth to coordinate the publishing. I know this forum is "self-support", but maybe it'll still trigger some reaction into the right direction :)

Share this post


Link to post
Share on other sites
Posted (edited)

It's scary to hear, because Synergy 2.0 (synergy-service) works with root user rights under Linux.

2staff Can I revoke root access rights from "synergy-service" and replace their with linux capabilities (for instance) ?

PS. I have disabled synergy at all.

Edited by livelace

Share this post


Link to post
Share on other sites

Very scary indeed. Not only because of the major security issues, but also because of the Symless @staff seemingly trying to sweep it under the rug.

Share this post


Link to post
Share on other sites
1 minute ago, livelace said:

It's scary to hear, because Synergy 2.0 (synergy-service) works with root user rights under Linux.

2staff Can I revoke root access rights from "synergy-service" and replace their with linux capabilities (for instance) ?

It's difficult to reply without giving the details, but I'll try.

I haven't found anything that would give an attacker control over Synergy processes, so limiting rights is not necessary for this.

What I've found could mostly be addressed by simple standard techniques, but has to be done within the software.

On Linux and macOS, a simple local workaround would be possible.

Share this post


Link to post
Share on other sites

Unless you have evidence, let's not accuse anyone of pushing flaws under floor coverings :). Bear in mind that Symless is a small firm with a LOT of feature and infrastructure requests to manage, and although I'm sure that security is a high priority, there are a lot of priorities. If companies the size of Micro$oft and Intel have the right to security flaws, so does Symless. That doesn't make it "right" nor does it imply that the issues shouldn't be fixed -- they should and must -- but there's a difference between pushing boulders uphill and consciously ignoring problems.

  • Like 1

Share this post


Link to post
Share on other sites
1 hour ago, jml said:

Unless you have evidence, let's not accuse anyone of pushing flaws under floor coverings :).

I'm assuming you're replying to my post. Sorry if that's not the case.

I'm not accusing, I said seemingly because I don't know if that's really the case, but locking him out of his account after coming up to them to report the security vulnerabilities he found and rejecting to address his feedback seems like it.

Maybe the account locking issue was a coincidence, and maybe them rejecting his feedback was just a misunderstanding. But it's scary nonetheless.

Let's hope that last paragraph is really what happened. Don't take out the pitchforks for now.

  • Like 1

Share this post


Link to post
Share on other sites
On 1/9/2018 at 12:11 PM, Patrick Kolla-ten Venne said:

my account having been deleted as a consequence of the communication six weeks ago

His account was refunded, this is why it was deactivated.

We're already aware of the security issues he raised, and have prioritized them according to severity.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.