Problems Found in the Rsync File Synchronization Tool by Google Cloud Researchers
The well-known Rsync file-synchronization utility for Unix systems has up to six security flaws that have been revealed; some of these flaws could allow arbitrary code to run on a client.
The well-known Rsync file-synchronization utility for Unix systems has up to six security flaws that have been revealed; some of these flaws could allow arbitrary code to run on a client.
In an advisory, the CERT Coordination Center (CERT/CC) stated, "Attackers can take control of a malicious server and read/write arbitrary files of any connected client." "Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt."
These are the drawbacks: heap-buffer overflow, information leak, file leak, external directory file-write, and symbolic-link race condition.
The score of CVSS for CVE-2024-12084: 9.8 Heap-buffer overflow in Rsync as a result of incorrect checksum length management
CVE-2024-12085 (CVSS score: 7.5): Uninitialized stack contents causing information leakage
The Rsync server leaks Random client files in CVE-2024-12086 (CVSS score: 6.1).
CVE-2024-12087: Rsync's path traversal vulnerability (CVSS score: 6.5).
CVE-2024-12088 (6.5 on the CVSS) Path traversal is caused by the --safe-links option being bypassed.
CVE-2024-12747 (CVSS score: 5.6): When working with symbolic links, the race condition in Rsync
It was Google Cloud Vulnerability Research's Simon Scannell, Pedro Gallegos, and Jasiel Spelman who found and reported the first five vulnerabilities. For the symbolic-link race condition weakness, security researcher Aleksei Gorban has received recognition. "In the most severe CVE, an attacker only requires anonymous read access to a Rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on," Nick Tait of Red Hat Product Security stated.
A combination of CVE-2024-12084 and CVE-2024-12085 could allow an attacker to execute arbitrary code on a client that has a Rsync server running, according to CERT/CC.
Earlier today, Rsync version 3.4.0 was made public, which now includes patches for the vulnerabilities. It is advised that users who are unable to deploy the update take the following precautions:
Using the compilation parameters CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST, CVE-2024-12084 disables SHA* support.
Compile with -ftrivial-auto-var-init=zero to zero the contents of the stack (CVE-2024-12085).
