- Rysinc was found to be vulnerable to at least six flaws
- One of the bugs is a critical-severity RCE, experts warn
- Users and vendors are advised to update to version 3.4.0 immediately
Rsync, a popular open source file transfer and synchronization tool has been found carrying multiple vulnerabilities that allowed threat actors to conduct all kinds of malicious activities, remote code execution (RCE) included. As a result, hundreds of thousands of endpoints are at serious risk.
The warning comes from multiple cybersecurity researchers, including those from Google Cloud, who recently discovered and reported the flaws.
“Two independent groups of researchers have identified a total of 6 vulnerabilities in rsync. In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on,” a security advisory published on Openwall reads. “Upstream has prepared patches for these CVEs. These fixes will be included in rsync 3.4.0 which is to be released shortly.”
Applying the fix
The most severe vulnerability is tracked as CVE-2024-12084, and is described as a heap buffer overflow bug arising from improper handling of checksum lengths in the Rsync daemon. It was given a severity score of 9.8, and said to affect versions 3.2.7 through < 3.4.0.
Other flaws are CVE-2024-12085 (information leak via uninitialized stack), CVE-2024-12086 (server leaks arbitrary client files), CVE-2024-12087 (path traversal), CVE-2024-12088 (bypass of –safe-links Option), and CVE-2024-12747 (symbolic link race condition).
The CERT Coordination Center (CERT/CC) labeled Red Hat, Arch, Gentoo, Ubuntu NixOS, AlmaLinux OS Foundation, and the Triton Data Center all as impacted, but added that there are “many more” potentially impacted projects and vendors.
“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running,” warned CERT/CC.
BleepingComputer also ran a quick Shodan scan which came back with 660,000 potentially affected instances. The majority (521,000) is located in China, with the remaining being split between the United States, Hong Kong, Korea, and Germany.
All Rsync users should upgrade to version 3.4.0 as soon as possible, or at least block TCP port 873.
