At 02:25 Beijing time on January 15, 2025, security researcher Nick Tait reported six security vulnerabilities in rsync on the oss-security mailing list. Among them, the most severe vulnerability allows attackers to execute arbitrary code on the server simply by having anonymous read access to the rsync server (such as a public mirror).

Vulnerability Details:

  1. CVE-2024-12084 (CVSS: 9.8): There is a heap buffer overflow vulnerability in rsync due to improper handling of checksum lengths. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), attackers can perform out-of-bounds writes in the sum2 buffer. Affected versions: 3.2.7 to 3.4.0.
  2. CVE-2024-12085 (CVSS: 7.5): In the rsync daemon, when comparing file checksums, attackers can manipulate the checksum length, leading to comparisons with uninitialized memory, thereby leaking one byte of uninitialized stack data each time. Affected versions: All versions.
  3. CVE-2024-12086 (CVSS: 6.1): The rsync server may leak arbitrary file contents from the client. During the process of copying files from the client to the server, the server sends local data checksums for the client to compare. By sending specially crafted checksum values, attackers may reconstruct the data of these files byte by byte based on the client's responses. Affected versions: All versions.
  4. CVE-2024-12087 (CVSS: 6.5): There is a path traversal vulnerability in rsync. When the --inc-recursive option is enabled (many clients enable this by default), attackers can exploit this vulnerability to perform path traversal attacks. Affected versions: All versions.
  5. CVE-2024-12088 (CVSS: 6.5): The --copy-dest option in rsync has a symbolic link attack vulnerability. Attackers can exploit this vulnerability to overwrite files in the target directory. Affected versions: All versions.
  6. CVE-2024-12089 (CVSS: 6.5): The --backup-dir option in rsync has a symbolic link attack vulnerability. Attackers can exploit this vulnerability to create symbolic links in the backup directory, leading to file overwrites. Affected versions: All versions.

 

Am I Affected?

If you have never installed the rsync package (which is not pre-installed in deepin 23), you are not affected by these vulnerabilities.

If you have never manually enabled any rsync-related services, you are not affected by these vulnerabilities.

Mitigation Measures

The upstream maintainers of rsync have prepared patches for the aforementioned vulnerabilities, which will be included in the upcoming upstream rsync 3.4.0 release (the deepin patched version is: 3.3.0+ds1-3).

Temporary Workarounds

We strongly recommend updating to the new version. If you wish to defer the update, you can take the following temporary measures:

If you do not require the use of checksums in rsync, you can disable the checksum option on the rsync server side. To do this:

    1. Edit /etc/rsyncd.conf
    2. Add the line refuse options = checksum to the configuration file.
    3. Restart the rsync service (systemctl restart rsync).

 

Timeline:

  • January 15, 2025, 02:25: Vulnerability disclosure.

  • January 15, 2025, 02:25: Upstream patch release, rsync 3.4.0 version released, including vulnerability fixes.

  • January 15, 2025, 02:45: deepin sysdev group syncs upstream update.

  • January 15, 2025, 10:11: Update pushed to deepin 23 and deepin 25 users.

References:

We strongly recommend all rsync users update to version 3.4.0 (deepin version 3.3.0+ds1-3) as soon as possible to address the aforementioned security vulnerabilities.

 

>> Click to support the deepin Community

Leave a Reply