What are the critical vulnerabilities discovered in Rsync?

The most critical vulnerability is CVE-2024-12084 (CVSS 9.8), a heap buffer overflow in the Rsync daemon that enables remote code execution. Other significant vulnerabilities include CVE-2024-12085 (CVSS 7.5) causing information leaks, CVE-2024-12086 (CVSS 6.1) allowing file enumeration, and multiple path traversal vulnerabilities (CVE-2024-12087 and CVE-2024-12088, both CVSS 6.5).

How many systems are potentially affected by these vulnerabilities?

Over 660,000 Rsync servers globally are potentially exposed, with 306,517 servers running on default TCP port 873 and 21,239 on port 8873. The majority of affected servers are located in China (521,000), followed by the United States, Hong Kong, Korea, and Germany.

Which versions of Rsync are affected?

The critical buffer overflow vulnerability (CVE-2024-12084) affects versions 3.2.7 through < 3.4.0, while the other vulnerabilities affect all versions below 3.4.0. Major Linux distributions including Red Hat, Arch, Gentoo, Ubuntu, NixOS, and AlmaLinux OS Foundation are affected.

What mitigation steps are recommended?

Recommended mitigation steps include: 1) Upgrading to Rsync version 3.4.0, 2) Disabling SHA* support for CVE-2024-12084, 3) Compiling with -ftrivial-auto-var-init=zero for CVE-2024-12085, 4) Configuring daemon to require credentials, and 5) Blocking TCP port 873 if immediate upgrade isn't possible.

What is the potential impact of these vulnerabilities?

The vulnerabilities can lead to remote code execution, information leaks, unauthorized file access and enumeration, path traversal attacks, and privilege escalation. The critical vulnerability (CVE-2024-12084) could allow attackers to execute arbitrary code remotely on affected systems.

Advisory

Multiple flaws reported in Rsync, at least one critical

Q: What mitigation steps are recommended?

Recommended mitigation steps include: 1) Upgrading to Rsync version 3.4.0, 2) Disabling SHA* support for CVE-2024-12084, 3) Compiling with -ftrivial-auto-var-init=zero for CVE-2024-12085, 4) Configuring daemon to require credentials, and 5) Blocking TCP port 873 if immediate upgrade isn't possible.

Q: What is the potential impact of these vulnerabilities?

The vulnerabilities can lead to remote code execution, information leaks, unauthorized file access and enumeration, path traversal attacks, and privilege escalation. The critical vulnerability (CVE-2024-12084) could allow attackers to execute arbitrary code remotely on affected systems.

published: Jan. 15, 2025

Take action: If you are running Rsync, plan to upgrade to Rsync version 3.4.0. You can remedy some of the issues bu recompiling with several flags, and you should configure the daemon to require credentials. Also, if you can't patch immediately, lock it down to trusted peer addresses, not to be visible for the entire internet.

Learn More

Multiple security vulnerabilities have been identified in Rsync, a widely-used open-source file synchronization and data transfer tool.

The vulnerabilities affect over 660,000 potentially exposed Rsync servers globally, with the majority located in China (521,000), followed by the United States, Hong Kong, Korea, and Germany.

The vulnerabilities include:

CVE-2024-12084 (CVSS score: 9.8): A critical heap buffer overflow vulnerability in the Rsync daemon due to improper handling of checksum lengths. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), attackers can write out of bounds in the sum2 buffer, enabling remote code execution. Affects versions 3.2.7 through < 3.4.0.
CVE-2024-12085 (CVSS score: 7.5): An information leak vulnerability allowing attackers to expose uninitialized stack data one byte at a time by manipulating checksum lengths during file comparison operations. Affects all versions below 3.4.0.
CVE-2024-12086 (CVSS score: 6.1): A vulnerability enabling malicious servers to enumerate and reconstruct arbitrary client files byte-by-byte using manipulated checksum values during file transfers. Affects all versions below 3.4.0.
CVE-2024-12087 (CVSS score: 6.5): A path traversal vulnerability related to the --inc-recursive option, allowing malicious servers to write files outside intended client directories. Affects all versions below 3.4.0.
CVE-2024-12088 (CVSS score: 6.5): A path traversal vulnerability stemming from improper verification of symbolic link destinations, potentially leading to arbitrary file writes outside designated directories. Affects all versions below 3.4.0.
CVE-2024-12747 (CVSS score: 5.6): A race condition vulnerability in handling symbolic links that could lead to privilege escalation and sensitive information exposure. Affects all versions below 3.4.0.

Potentially affected servers are over 660,000 exposed Rsync servers globally. Of those 306,517 servers are running on default TCP port 873 and 21,239 servers listening on port 8873 (commonly used for Rsync over SSH tunneling)

Affected systems include major Linux distributions and platforms such as Red Hat, Arch, Gentoo, Ubuntu NixOS, AlmaLinux OS Foundation, and the Triton Data Center, with many other potential victims yet to be identified.

Users are advised to apply the following mitigation steps:

Upgrade to Rsync version 3.4.0
For CVE-2024-12084: Disable SHA* support by compiling with specific flags
For CVE-2024-12085: Compile with -ftrivial-auto-var-init=zero
Configure daemon to require credentials
Block TCP port 873 at the perimeter if immediate upgrade is not possible

Multiple flaws reported in Rsync, at least one critical

Read More
ESET patches vulnerability that causes web browsers to …
Critical Path Traversal Flaw in Unstructured.io AI Library …
Critical Plesk vulnerability enables privilege escalation, server compromise
Critical authentication bypass flaw in HCL BigFix WebUI …
Progress Telerik fixes critical auth bypass flaw, PoC …