Rsync Vulnerabilities: Millions of Servers at Risk!

Several critical vulnerabilities have been discovered in Rsync, a widely used tool for server and data synchronization. These vulnerabilities allow attackers to execute malicious code remotely, steal confidential data, and bypass key security mechanisms.

Affected Versions:

All versions of Rsync 3.2.7 and earlier.

Potential Threats:

🔴 Remote Code Execution (RCE)
🔴 Theft of Confidential Data
🔴 Bypassing Security Mechanisms

Key Vulnerabilities

1. Memory Corruption in Checksum Handling (CVE-2024-12084)

This vulnerability arises from improper memory management when processing checksum data. The sender.c module in Rsync allocates an insufficient memory buffer for handling file chunks, allowing attackers to overwrite memory beyond allocated limits.

🔹 For example, when using SHA-256 (32 bytes) and SHA-512 (64 bytes), the buffer is only 16 bytes, but attackers can write up to 48 extra bytes, causing a heap buffer overflow.

⚠️ Impact: Critical memory corruption allowing attackers to manipulate key memory structures.

2. ASLR Bypass via Stack Leak (CVE-2024-12085)

This vulnerability enables attackers to bypass Address Space Layout Randomization (ASLR) by leaking stack data. Malicious actors can exploit poor stack handling in the hash_search function to analyze memory locations.

⚠️ Impact: Enables Remote Code Execution (RCE) by disclosing memory addresses for precise exploitation.

3. Client-Side File Exfiltration (CVE-2024-12086)

Attackers can exploit this vulnerability to read protected client files remotely by manipulating Rsync’s file path validation. By crafting specific fnamecmp_type and xname values, they can force the client to open and expose file content through adaptive checksum brute-forcing.

⚠️ Impact: Remote theft of confidential files.

4. Symbolic Link Exploitation (CVE-2024-12087/12088)

Even though Rsync protects against symbolic link attacks using the –safe-links option, attackers can bypass this protection through multi-stage directory poisoning.

📌 Attack Steps:
1️⃣ The attacker creates a ./symlink directory and sends it in the file list.
2️⃣ Then, they replace this directory with a symbolic link.
3️⃣ Rsync processes the modified path, allowing the attacker to write files anywhere.

⚠️ Impact: Bypassing Rsync’s security checks to gain unauthorized access to protected files.

By combining these vulnerabilities, attackers can achieve a complete remote execution chain, which includes:
✅ Leaking memory addresses to bypass ASLR
✅ Crafting a precise heap overflow attack
✅ Overwriting function pointers to execute malicious code

Security researchers successfully demonstrated this attack against Debian 12 running Rsync 3.2.7 in daemon mode.
The most alarming aspect is that only anonymous read access is required to trigger the exploit.

💡 All users must immediately upgrade to Rsync 3.4.0, which includes the following security enhancements:
✅ Strict bounds checking for checksum buffers
✅ Stack buffer initialization in hash functions
✅ Improved symbolic link validation
✅ Stronger path sanitization

🔹 Critical Recommendations for Administrators:

🔸 Audit your Rsync configuration and disable anonymous access wherever possible.
🔸 Enable the –safe-links option and enforce munge-symlinks.
🔸 Ensure clients connect only to trusted servers.
🔸 Use a firewall to block untrusted IP addresses.

Since Rsync is widely used in corporate backup systems and CI/CD workflows, these new vulnerabilities put millions of servers at risk.

⚠️ Recommendation:
All system administrators and developers must immediately upgrade to Rsync 3.4.0, check for potential vulnerabilities, and implement the security measures outlined above.

🔐 Stay vigilant and protect your systems from cyber threats!