Rsync vulnerabilities allow remote code execution on servers, patch quickly!
Six vulnerabilities have been fixed in the newest versions of Rsync (v3.4.0), two of which could be exploited by a malicious client to achieve arbitrary code execution on a machine with a running Rsync server.
“The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt,” CERT/CC noted.
About Rsync and the fixed vulnerabilities
Rsync is an open source utility used for synchronizing / transferring files and directories between different systems (computers, servers, storage devices, etc.), and is included by default in base installations of some Linux distributions.
“Rsync can also be used in Daemon mode and is widely used in in public mirrors to synchronize and distribute files efficiently across multiple servers,” CERT/CC added. “Many backup programs, such as Rclone, DeltaCopy, and ChronoSync use Rsync as backend software for file synchronization.”
The fixed vulnerabilities include:
- CVE-2024-12084, CVE-2024-12085 and CVE-2024-12086 are flaws in the Rsync daemon that could be exploited for remote code execution, leaking of stack data, and to read arbitrary files from the client’s machine (when they are being copied from a client to a server)
- CVE-2024-12087 and CVE-2024-12088 affect the Rsync client and may allow a malicious server to write malicious files to arbitrary locations on connected clients
- CVE-2024-12747 stems from Rsync improperly handling symbolic links during a race condition and can be used to leak sensitive information to the attacker
They all affect Rsync versions prior to v3.4.0, and CVE-2024-12084 is also present in v3.2.7 and higher. Mitigations for some the first two vulnerabilities are available (see here).
The first five flaws have been reported by Simon Scannell, Pedro Gallegos, and Jasiel Spelman at Google Cloud Vulnerability Research, and the last one by Aleksei Gorban.
What to do?
The Rsync maintainer has released a version with the fixes on Tuesday and users should implement them as soon as possible.
“As Rsync can be distributed bundled, ensure any software that provides such updates is also kept current to address these vulnerabilities,” CERT/CC says.
Updated Rsync packages have already been pushed out for Ubuntu and Debian.
CERT/CC’s list of affected OSes currently includes AlmaLinux OS, Arch Linux, Gentoo Linux, NixOS, Red Hat and SmartOS (i.e., the Triton DataCenter cloud management platform). The list will be updated as more information becomes available.