Rsync is a opensource command-line tool in Linux, macOS, *BSD and Unix-like systems that synchronizes files and directories. It is a popular tool for sending or receiving files, making backups, or setting up mirrors. It minimizes data copied by transferring only the changed parts of files, making it faster and more bandwidth-efficient than traditional copying methods provided by tools like sftp or ftp-ssl. Rsync versions 3.3.0 and below has been found with SIX serious vulnerabilities. Attackers could exploit these to leak your data, corrupt your files, or even take over your system. There is a heap-based buffer overflow with a CVSS score of 9.8 that needs to be addressed on both the client and server sides of rsync package. Apart from that info leak via uninitialized stack contents defeats ASLR protection and rsync server can make client write files outside of destination directory using symbolic links.
Rsync Security Vulnerability: Urgent Update Needed to Protect Your System
Rsync is a handy command-line tool that is used by many popular open-source backup applications, including Rclone, Rsnapshot, DeltaCopy, and others. It operates in both daemon and client modes. Patch the rsync software installed on both the server and client sides to ensure your system’s security and stability. The following vulnerabilities exist as per the CERT Coordination Center:
- CVE-2024-12084 – A heap-buffer-overflow vulnerability allows attackers to exploit this flaw to execute arbitrary code on the targeted server running rsync.
- CVE-2024-12085 – A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. Info Leak via uninitialized Stack contents defeats ASLR.
- CVE-2024-12747 – Rsync has a vulnerability to a symbolic-link race condition, which could lead to privilege escalation. This vulnerability allows a user to access privileged files on affected servers.
- CVE-2024-12086 – This vulnerability allow a server to enumerate the contents of an arbitrary file from the client’s machine i.e. server leaks arbitrary client files.
- CVE-2024-12087 – This is a path traversal vulnerability in the Rsync daemon. In other words, server can make client write files outside of destination directory using symbolic links.
- CVE-2024-12088 – Rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.
rsync vulnerabilities impact on the Linux and Unix systems
As you know, rsync is a way to move files between Linux/Unix systems. Unfortunately, these six security weaknesses work together or stand alone, letting attackers take over computers with Rsync installed using buffer overflow attacks to run any commands or arbitrary code. The information leak attacks allow attackers to see info stored in memory, including secrets also possible. Sensitive data, such as SSH keys, can be extracted. Malicious code may be executed by overwriting or updating files like ~/.bashrc or ~/.popt in the user’s home directory.
How to protect your system
You must apply the latest patches available in the rsync repo. However, most Linux and distro provide a command-line interface to update rsync. I recommend that you upgrade your rsync packages on both desktop and server side.
Debian/Ubuntu Linux
Debian or Ubuntu Linux use the apt command/apt-get command to patch and update the rsync command:$ sudo apt update
$ apt list --upgradable
rsync/focal-updates,focal-security 3.1.3-8ubuntu0.8 amd64 [upgradable from: 3.1.3-8ubuntu0.7]
$ sudo apt upgrade
Ubuntu Linux version 24.04/22.04/20.04/18.04 ESM/16.04 ESM/14.04 ESM affected. Debian Linux version info here. No need to reboot the server but you must restart rsync daemon service.
RHEL/Oracle Linux/Rocky/Alama and CentOS
RHEL 8.x/9.x and clones all are affected so run the yum command/dnf command to apply patches:$ sudo dnf update
SUSE Linux Enterprise and OpenSUSE Linux
As per this page multiple version of SUSE Linux all affected. Run the zypper command. For example:$ sudo zypper patch
OpenSUSE users see this page.
Alpine Linux
Try running the apk command:# apk update
# apk upgrade
Arch Linux
Run the pacman command as follows (see this page for more info)$ sudo pacman -Syu "rsync>=3.4.0-1"
FreeBSD
Use the pkg command:$ sudo pkg update
$ sudo pkg upgrade
macOS (OS X)
Open your Terminal. Type brew command and press Enter key. For example:$ brew update
Summing up
The package rsync in Linux, *BSD, and Unix-like systems are vulnerable to multiple security issues, including arbitrary code execution, arbitrary file upload, information disclosure, and privilege escalation. Hence, you must patch the system ASAP. Please see the following links for more information:
Critical Rsync Vulnerability Requires Immediate Patching on Linux
???? Was this helpful? Please add a comment to show your appreciation or feedback.
I’m Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.