Six security vulnerabilities have been identified in Rsync, a widely-used file synchronization tool for Unix-based systems, some of which enable attackers to execute arbitrary code on the client system.
The CERT Coordination Center (CERT/CC) reported that attackers controlling a malicious server could read and write arbitrary files on connected clients. This creates a significant risk of sensitive information leakage, such as SSH keys, and allows the execution of malicious code by modifying critical files, such as ~/.bashrc or ~/.popt.
The discovered vulnerabilities include:
- CVE-2024-12084 (CVSS 9.8): Heap overflow caused by improper checksum length handling.
- CVE-2024-12085 (CVSS 7.5): Data leakage due to uninitialized stack contents.
- CVE-2024-12086 (CVSS 6.1): Arbitrary file leakage from the client by the Rsync server.
- CVE-2024-12087 (CVSS 6.5): Path traversal vulnerability.
- CVE-2024-12088 (CVSS 6.5): Bypass of the
--safe-linksoption, leading to path traversal attacks. - CVE-2024-12747 (CVSS 5.6): Race condition in symbolic link handling.
The first five vulnerabilities were uncovered by Google Cloud Vulnerability Research team members Simon Scannell, Pedro Gallegos, and Jaziel Spelman. The last vulnerability was disclosed by security researcher Alexey Gorban.
Among these, CVE-2024-12084 is particularly critical, as it can be exploited with mere anonymous read access to an Rsync server. Nick Tait from Red Hat Product Security noted that combining CVE-2024-12084 with CVE-2024-12085 enables arbitrary code execution on clients connecting to a compromised Rsync server.
With the release of Rsync version 3.4.0, all six vulnerabilities have been addressed. Users unable to update are advised to adopt the following mitigations:
- For CVE-2024-12084: Disable SHA support by compiling with
CFLAGS=-DDISABLE_SHA512_DIGESTandCFLAGS=-DDISABLE_SHA256_DIGEST. - For CVE-2024-12085: Use the compilation flag
-ftrivial-auto-var-init=zeroto zero-fill uninitialized stack contents.
The swift adoption of these fixes or mitigations is imperative to safeguard systems against potential exploitation.
