A total of six vulnerabilities, including a critical heap buffer overflow, have been discovered in Rsync, a widely used file synchronization tool for Linux systems. These flaws, which affect versions prior to 3.4.0, enable attackers to execute arbitrary code, leak sensitive data, and perform unauthorized file manipulations on vulnerable systems.
Discovery and technical details
The vulnerabilities were uncovered by two research teams: Google Cloud Vulnerability Research (Simon Scannell, Pedro Gallegos, and Jasiel Spelman) and independent researcher Aleksei Gorban. Red Hat's Nick Tait disclosed the findings on the Openwall mailing list yesterday, and a bulletin was subsequently published by the CERT Coordination Center.
Among the six vulnerabilities, CVE-2024-12084, a heap-based buffer overflow rated with a CVSS score of 9.8, is the most severe. This issue arises from improper handling of checksum lengths (s2length) in Rsync's code. An attacker with anonymous read access to an Rsync server, such as a public file mirror, can exploit this flaw to execute arbitrary code on the targeted server by overwriting memory outside the allocated buffer.
Other notable vulnerabilities include:
- CVE-2024-12085: An information leak that allows attackers to extract uninitialized stack data, byte-by-byte.
- CVE-2024-12086: A server-side flaw enabling arbitrary file enumeration from connected client systems during file synchronization.
- CVE-2024-12087 and CVE-2024-12088: Path traversal vulnerabilities that allow malicious servers or attackers to write files outside intended directories by exploiting symbolic link handling.
- CVE-2024-12747: A race condition in symbolic link processing, which could lead to privilege escalation or sensitive information disclosure.
The flaws primarily impact Rsync versions 3.2.7 and earlier, with all issues resolved in the Rsync 3.4.0 release, available here.
Rsync role and impact
Rsync is a widely adopted tool for efficient file synchronization between systems, often used for system backups, server mirroring, and data replication. Public mirrors, backup solutions like Rclone and ChronoSync, and Linux distributions such as Red Hat and Debian rely heavily on Rsync. Its daemon mode, which facilitates file sharing and distribution across servers, is particularly critical to its broad use case.
Given Rsync's popularity in enterprise environments and among developers, these vulnerabilities pose significant risks. Attackers could leverage a combination of these flaws to gain full control over servers or steal sensitive data such as SSH keys, further exposing connected systems to follow-up attacks.
Security recommendations
The Rsync maintainers have prepared patches for all six vulnerabilities, which are included in the release of Rsync 3.4.0. For those unable to apply the update, the following mitigations are advised:
- Use compilation flags CFLAGS=-DDISABLE_SHA256_DIGEST and CFLAGS=-DDISABLE_SHA512_DIGEST to prevent exploitation of checksum-related vulnerabilities.
- Compile Rsync with -ftrivial-auto-var-init=zero to mitigate information leaks.
- Avoid exposing Rsync daemons to untrusted networks or limit access to known IP addresses.
- For tools that embed Rsync (e.g., Rclone or other backup solutions), ensure that patched versions are integrated.
FBI Neutralizes PlugX Malware on 4,200 Computers in the U.S.
Leave a Reply