Six bugs in rsync server fixed, one of them critical
Security researchers discovered vulnerabilities in the open source software rsync, which can be used to synchronize or even just copy files very efficiently.
(Image: Erzeugt mit Bing Image Creator durch heise online)
The rsync tool for file synchronization, which is popular under Linux, has several security vulnerabilities. The worst of these can be found in the rsync server and allows the infiltration and execution of foreign code. The attacker only needs anonymous, read-only access to do this.
Apparently, a team of security researchers at Google has systematically examined the open source software. In any case, the developers attribute the discovery of five of the six security vulnerabilities that the current rsync 3.4.0 release closes to this. These include the critical buffer overflow on the server's heap, which attackers can deliberately cause and exploit (RCE, CVSS 9.8, CVE-2024-12084). Aleksei Gorban "loqpa" also contributes a race condition in the handling of symbolic links, which attackers can use to gain elevated privileges (CVSS 5.6, CVE-2024-12747).
The announcement of the rsync 3.4.0 version lists a total of six vulnerabilities:
- CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
- CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
- CVE-2024-12086 - Server leaks arbitrary client files.
- CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
- CVE-2024-12088 - --safe-links bypass.
- CVE-2024-12747 - symlink race condition.
Videos by heise
The vulnerabilities affect versions prior to rsync 3.4.0, for example in Red Hat and Suse Linux; various BSD distributions do not appear to be affected, at least according to the CMU CERT overview. Users of rsync should install the updated versions as soon as possible – before the ransomware gang Cl0p exploits them for one of its data theft campaigns with subsequent blackmail.
(ju)
