Main file sync tool Rsync security flaws mean up to 660,000 servers may be affected
- Rysinc turned out to be vulnerable to at least six flaws
- One of the bugs is a critical severity RCE, experts warn
- Users and vendors are advised to update to version 3.4.0 immediately
Rsync, a popular open source file transfer and synchronization tool, has been discovered to contain multiple vulnerabilities that could allow threat actors to perform a variety of malicious activities, including remote code execution (RCE). As a result, hundreds of thousands of endpoints are at serious risk.
The warning comes from multiple cybersecurity researchers, including those from Google Cloud, who recently discovered and reported the flaws.
“Two independent groups of researchers have identified a total of six vulnerabilities in rsync. In the most severe CVE, an attacker only needs anonymous read access to an rsync server, such as a public mirror, to execute arbitrary code on the machine running the server,” according to a security advisory published on Openwall. “Upstream has prepared patches for these CVEs. These fixes will be included in rsync 3.4.0, which will be released soon.”
Apply the solution
The most serious vulnerability is tracked as CVE-2024-12084 and is described as a heap buffer overflow bug resulting from improper handling of checksum lengths in the Rsync daemon. It was given a severity score of 9.8 and would affect versions 3.2.7 through 3.2.7
Other flaws include CVE-2024-12085 (information leak via uninitialized stack), CVE-2024-12086 (server leaks arbitrary client files), CVE-2024-12087 (path traversal), CVE-2024-12088 (bypassing -safe- links Option) and CVE-2024-12747 (symbolic link race condition).
The CERT Coordination Center (CERT/CC) labeled Red Hat, Arch, Gentoo, Ubuntu NixOS, AlmaLinux OS Foundation and the Triton Data Center all affected, but added that there are “many more” potentially affected projects and vendors.
“Combined, the first two vulnerabilities (heap buffer overflow and information leakage) could allow a client to execute arbitrary code on a device running an Rsync server,” CERT/CC warned.
BleepingComputer also conducted a rapid Shodan scan, which returned 660,000 potentially affected cases. The majority (521,000) are in China, while the remainder are spread across the United States, Hong Kong, Korea and Germany.
All Rsync users should upgrade to version 3.4.0 as soon as possible, or at least block TCP port 873.