Six vulnerabilities in the popular Rsync file-synchronizing tool were disclosed Wednesday, including critical and high-severity flaws that could risk remote code execution (RCE) and data leakage.
The Rsync utility is commonly used in Unix-like operating systems, and the Rsync daemon is frequently used to synchronize and distribute files through public mirrors.
The CERT Coordination Center (CERT/CC) reported that five of the vulnerabilities were discovered by Simon Scannell, Pedro Gallegos and Jasiel Spelman of Google Cloud Vulnerability Research, while a sixth was discovered by security researcher Aleksei Gorban.
The most severe of the flaws discovered by the Google Cloud researchers is a heap-buffer overflow with a CVSS score of 9.8, tracked as CVE-2024-12084. The vulnerability stems from Rsync’s improper handling of checksum lengths that exceed the fixed length (SUM_LENGTH) of 16 bytes.
If checksums, small pieces of data used to determine whether two files are identical so that Rsync can resynchronize files that have changed, are manipulated by an attacker to be longer than 16 bytes, the overflow flaw can allow the attacker to write out-of-bounds into the sum2 buffer, according to CERT/CC. This could potentially lead to RCE on the machine running the Rsync server, noted Red Hat Product Security Incident Commander Nick Tait.
The second most severe flaw, tracked as CVE-2024-12085, with a CVSS score of 7.5, also involves the manipulation of checksum lengths, this time resulting in information leakage. An altered checksum length can lead Rsync to compare a checksum with uninitialized memory, which can leak data from uninitialized stacks one byte at a time.
Both CVE-2024-12084 and CVE-2024-12085 can be exploited by clients with anonymous read-only access to an Rsync server, including through a public mirror, Tait noted. Additionally, an attacker with control over a compromised Rsync server could leverage the flaws to execute malicious code on connected client machines, by overwriting critical files like ~/.bashrc or ~/.popt, and steal sensitive data such as SSH keys, according to CERT/CC.
The other four flaws are medium-severity vulnerabilities, including:
- CVE-2024-12086, which could leak the contents of arbitrary files from client machines when files are copied from the client to the server
- CVE-2024-12087, a path traversal flaw that could allow a server to write files outside of the client’s intended destination directory
- CVE-2024-12088, another path traversal related to a failure to verify whether symbolic links contain other symbolic links within them, and
- CVE-2024-12747, which can lead to privilege escalation via a symbolic link race condition
These flaws are present in Rsync versions 3.3.0 and earlier and were patched in version 3.4.0 published Wednesday.
A full list of operating systems and products that use Rsync and are confirmed to be affected or not affected by these vulnerabilities is available on the CERT/CC website.
