Widespread Rsync Server Vulnerability Exposes Over 600,000 to Attacks

Over 600,000 exposed Rsync servers may be at risk due to six newly discovered vulnerabilities, including a critical heap-buffer overflow flaw that could enable remote code execution on affected servers.

Rsync is a widely-used open-source tool for file synchronization and data transfer. It's particularly valued for its ability to perform incremental transfers, which helps minimize data transfer times and reduce bandwidth consumption. Rsync supports both local file system transfers and remote transfers over secure protocols such as SSH, in addition to direct file syncing through its own daemon.

The Rsync tool is widely used in backup systems like Rclone, DeltaCopy, ChronoSync, as well as in public file distribution repositories and cloud/server management operations.

The vulnerabilities in Rsync were identified by Google Cloud and independent security researchers. These flaws can be exploited together to create powerful attack chains that could lead to remote system compromise.

According to the bulletin published on Openwall, "In the most critical CVE, an attacker only needs anonymous read access to an Rsync server, such as a public mirror, to execute arbitrary code on the machine running the server."

Below are the flaws that were found:

• Heap Buffer Overflow (CVE-2024-12084): Vulnerability arising from improper handling of checksum lengths in the Rsync daemon, leading to out-of-bounds writes in the buffer. It affects versions 3.2.7 through < 3.4.0 and can enable arbitrary code execution. Mitigation involves compiling with specific flags to disable SHA256 and SHA512 digest support. (CVSS score: 9.8)

• Information Leak via Uninitialized Stack (CVE-2024-12085): Flaw allowing the leakage of uninitialized stack data when comparing file checksums. Attackers can manipulate checksum lengths to exploit this vulnerability. It affects all versions below 3.4.0, with mitigation achievable by compiling with the -ftrivial-auto-var-init=zero flag to initialize stack contents. (CVSS score: 7.5)

• Server Leaks Arbitrary Client Files (CVE-2024-12086): Vulnerability allowing a malicious server to enumerate and reconstruct arbitrary client files byte-by-byte using manipulated checksum values during file transfer. All versions below 3.4.0 are affected. (CVSS score: 6.1)

• Path Traversal via --inc-recursive Option (CVE-2024-12087): Issue that stems from inadequate symlink verification when using the --inc-recursive option. Malicious servers can write files outside the intended directories on the client. All versions below 3.4.0 are vulnerable. (CVSS score: 6.5)

• Bypass of --safe-links Option (CVE-2024-12088): Flaw which occurs when Rsync fails to properly verify symbolic link destinations containing other links. It results in path traversal and arbitrary file writes outside designated directories. All versions below 3.4.0 are impacted. (CVSS score: 6.5)

• Symbolic Link Race Condition (CVE-2024-12747): Vulnerability arising from a race condition in handling symbolic links. Exploitation may allow attackers to access sensitive files and escalate privileges. All versions below 3.4.0 are affected. (CVSS score: 5.6)