Full Report
As many as six security vulnerabilities have been disclosed in the popular Rsync file-synchronizing tool for Unix systems, some of which could be exploited to execute arbitrary code on a client. "Attackers can take control of a malicious server and read/write arbitrary files of any connected client," the CERT Coordination Center (CERT/CC) said in an advisory. "Sensitive data, such as SSH keys,
Analysis Summary
# Vulnerability: Multiple Flaws in Rsync File Synchronization Tool (Code Execution, File Read/Write)
## CVE Details
- **CVE ID:** CVE-2024-12084
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Heap-buffer overflow (Specific CWE not detailed for all, but identified for CVE-2024-12084)
- **CVE ID:** CVE-2024-12085
- **CVSS Score:** 7.5 (High)
- **CWE:** Information leak
- **CVE ID:** CVE-2024-12086
- **CVSS Score:** 6.1 (Medium)
- **CWE:** Information disclosure
- **CVE ID:** CVE-2024-12087
- **CVSS Score:** 6.5 (Medium)
- **CWE:** Path traversal vulnerability
- **CVE ID:** CVE-2024-12088
- **CVSS Score:** 6.5 (Medium)
- **CWE:** Path traversal bypass
- **CVE ID:** CVE-2024-12747
- **CVSS Score:** 5.6 (Medium)
- **CWE:** Race condition
## Affected Systems
- **Products:** Rsync file synchronization tool (for Unix systems)
- **Versions:** Versions prior to **Rsync 3.4.0**
- **Configurations:**
- CVE-2024-12084: Vulnerable when SHA* checksum algorithms are utilized.
- CVE-2024-12088: Related specifically to the `--safe-links` option being bypassed.
## Vulnerability Description
Google Cloud researchers discovered six security vulnerabilities in the Rsync tool. The most critical flaws allow an attacker controlling a malicious Rsync server to potentially execute arbitrary code on a connected client or read/write arbitrary files.
The specific flaws include:
1. **CVE-2024-12084 (Heap-buffer overflow):** Caused by improper handling of checksum lengths, which can lead to remote code execution (RCE) on the server itself under certain anonymous read access scenarios.
2. **CVE-2024-12085 (Information leak):** Leakage of uninitialized stack contents.
3. **CVE-2024-12086 (File leak):** Rsync server leaks arbitrary client files.
4. **CVE-2024-12087 & CVE-2024-12088 (Path Traversal/Bypass):** Directory traversal flaws allowing cross-directory file access.
5. **CVE-2024-12747 (Race Condition):** A race condition when handling symbolic links.
Attackers can combine CVE-2024-12084 and CVE-2024-12085 to achieve arbitrary code execution on a client synchronized with a malicious Rsync server. Successful exploitation can lead to the extraction of sensitive data (like SSH keys) or the execution of malicious code by overwriting configuration files (e.g., `~/.bashrc`).
## Exploitation
- **Status:** Details suggest potential for exploitation in the wild, especially involving the interactions between the flaws. A dedicated advisory mentions needing only anonymous read access to exploit the severe server-side flaw (CVE-2024-12084).
- **Complexity:** Described as accessible enough that for the most severe CVE, an attacker "only requires anonymous read access to a Rsync server."
- **Attack Vector:** Primarily **Network** (Client connecting to a malicious server, or Server interacting with a malicious client).
## Impact
- **Confidentiality:** High (Information leak, sensitive file extraction possible).
- **Integrity:** Critical (Arbitrary file write/overwrite, arbitrary code execution possible).
- **Availability:** Medium/High (Potential for system compromise leading to service disruption).
## Remediation
### Patches
- All six vulnerabilities are addressed in **Rsync version 3.4.0** and later.
### Workarounds
For users unable to immediately upgrade to 3.4.0:
- **For CVE-2024-12084:** Disable SHA* support by compiling Rsync with specific flags:
- `CFLAGS=-DDISABLE_SHA512_DIGEST`
- `CFLAGS=-DDISABLE_SHA256_DIGEST`
- **For CVE-2024-12085:** Mitigation steps were mentioned, but only the compilation flag workaround for CVE-2024-12084 was explicitly detailed in the provided text excerpt. Other mitigations likely exist in the full advisory.
## Detection
- **Indicators of Compromise:** Detection would focus on unusual file modification events on client machines, particularly changes to configuration dotfiles (`.bashrc`, etc.) following a synchronization operation, or unexpected network activity from the Rsync daemon/client processes.
- **Detection Methods and Tools:** Monitoring Rsync command arguments, especially concerning checksum verification or specialized link handling. Analyzing system calls originating from Rsync processes for indicators of shell execution or unusual file accesses (read/write outside expected directories).
## References
- CERT Coordination Center (CERT/CC) Advisory: `kb.cert.org/vuls/id/952657` (Defanged for compliance)
- Rsync Release Notes: `github.com/RsyncProject/rsync/releases/tag/v3.4.0` (Defanged for compliance)