New Rsync Vulnerabilities Threaten Over 660,000 Exposed Servers A series of newly identified vulnerabilities have left more than 660,000 Rsync servers at risk of remote code execution attacks, including a critical heap-buffer overflow flaw. This open-source utility, known for its efficient file synchronization and data transfer capabilities, is primarily employed in backup systems such as Rclone and DeltaCopy, as well as public file distribution and server management.

Vulnerabilities

Recently uncovered by researchers from Google Cloud and others, these six vulnerabilities can be tactically combined, posing a threat of remote system compromise:

1. Heap Buffer Overflow (CVE-2024-12084) - Imperfect handling of checksum lengths leads to out-of-bounds writes. - Affects versions 3.2.7 to <3.4.0. - Allows arbitrary code execution; mitigating requires compiling with specific flags. - CVSS Score: 9.8

2. Information Leak via Uninitialized Stack (CVE-2024-12085) - Vulnerability in checksum file comparison exposing uninitialized data. - All versions below 3.4.0 are vulnerable. - Compile with the `-ftrivial-auto-var-init=zero` flag to mitigate. - CVSS Score: 7.5

3. Server Leaks Arbitrary Client Files (CVE-2024-12086) - Attackers can manipulate checksums to reconstruct client files. - Affects all Rsync versions below 3.4.0. - CVSS Score: 6.1

4. Path Traversal via --inc-recursive Option (CVE-2024-12087) - Insufficient symlink verifications allow unauthorized file writing. - Affects versions below 3.4.0. - CVSS Score: 6.5

5. Bypass of --safe-links Option (CVE-2024-12088) - Inadequate link verification enables path traversal attacks. - Impacts all versions below 3.4.0. - CVSS Score: 6.5

6. Symbolic Link Race Condition (CVE-2024-12747) - Exploiting race conditions in symlink handling can escalate privileges. - Applicable to all versions below 3.4.0. - CVSS Score: 5.6

These vulnerabilities could allow an attacker, even with anonymous read access, to run arbitrary code on target machines hosting Rsync servers. Notably, RedHat has signaled that no straightforward mitigation strategies exist, highlighting the necessity of upgrading to version 3.4.0 to resolve these issues.

Global Impact

Insights from a Shodan search indicate that the majority of these 660,000 exposed servers are concentrated in China, with the United States, Hong Kong, Korea, and Germany also listing significant numbers. Additionally, a separate analysis by Binary Edge reported similarly extensive exposure, counting 424,087 vulnerable entities. Most of these servers operate on the default port 873, with a notable segment using port 8873, often associated with SSH tunneling. The full scope of vulnerability remains uncertain as it depends on server configurations, particularly concerning authentication requirements.

Recommendations To mitigate these risks immediately:

Upgrade to Rsync Version 3.4.0: This foremost step is crucial for addressing the outlined vulnerabilities.

Implement Access Controls: For those unable to upgrade right away, modifying server settings to require credentials and blocking TCP port 873 at network perimeters are advised interim protections. Understanding the depth and range of these vulnerabilities is essential in fortifying systems using Rsync. With potential impacts reaching widely across the globe, updating and safeguarding server configurations can significantly reduce the risk of exploitation.

The link has been copied!