As many as six security vulnerabilities were disclosed in popular Rsync file synchronization tool for Unix systems, some of which can be used to execute arbitrary code on the client.
“Aggresives can take control of a malicious server and read/write arbitrary files from any connected client,” CERT Coordination Center (CERT/CC) said in the advisory. “Confidential data such as SSH keys can be extracted and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.”
The disadvantages which include heap buffer overflow, information disclosure, file leak, external directory file write and symlink race conditions are listed below –
- CVE-2024-12084 (CVSS Score: 9.8) – Heap buffer overflow in Rsync due to incorrect checksum length handling
- CVE-2024-12085 (CVSS Score: 7.5) – Information leak via uninitialized stack contents
- CVE-2024-12086 (CVSS Score: 6.1) – Rsync server leaking arbitrary client files
- CVE-2024-12087 (CVSS Score: 6.5) – Path traversal vulnerability in Rsync
- CVE-2024-12088 (CVSS Score: 6.5) – –bypassing the safelinks option leads to path traversal
- CVE-2024-12747 (CVSS Score: 5.6) – Race condition in Rsync when handling symlinks
Simon Scannell, Pedro Gallegos and Jasiel Spelman of Google Cloud Vulnerability Research are credited with discovering and reporting the first five vulnerabilities. Security researcher Alexey Gorban was recognized as a flaw in symbolic link race conditions.
“In the most severe CVE, an attacker only needs anonymous read access to an Rsync server, such as a public mirror, to execute arbitrary code on the machine running the server,” Nick Tate of Red Hat Product Security. said.
CERT/CC also noted that an attacker could combine CVE-2024-12084 and CVE-2024-12085 to execute arbitrary code on a client running an Rsync server.
Patches for vulnerabilities were released in Rsync version 3.4.0which was available earlier today. For users who are unable to apply the update, the following steps are recommended:
- CVE-2024-12084 – Disable SHA* support by compiling with CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST
- CVE-2024-12085 – Compile with -ftrivial-auto-var-init=zero to zero the stack contents
