Skip to main content

Vulnerabilities in RSync could allow an attacker to execute arbitrary code or perform path traversal

Threat ID:CC-4626
Threat Severity:Medium
Published:26 February 2025 5:35 PM

Summary

Vulnerabilities in RSync could allow an attacker to execute arbitrary code or perform path traversal

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 3.4.0
RSync

Threat details

Proof-of-Concept exploit released

proof-of-concept (PoC) exploit has been released for 

  • CVE-2024-12084
  • CVE-2024-12085
  • CVE-2024-12086
  • CVE-2024-12087
  • CVE-2024-12088

Exploitation is considered more likely.

Introduction

Five vulnerabilities have been discovered within the RSync utility. RSync is a popular tool for transferring and synchronising files between different systems. RSync is commonly used in Unix-like operating systems.


Vulnerability details

  • CVE-2024-12084 is a 'heap-based buffer overflow' vulnerability, with a CVSSv3 score of 9.8. When used alongside CVE-2024-12085, attackers could gain remote code execution (RCE). 
  • CVE-2024-12085 is an 'improper restriction of operations within the bounds of a memory buffer' vulnerability, with a CVSSv3 score of 7.5. When used alongside CVE-2024-12084, attackers could gain RCE.
  • CVE-2024-12086 is a 'detection of error condition without action' vulnerability with a CVSSv3 score of 6.1. The exploitation of the vulnerability could allow an attacker to access and reconstruct sensitive data from the client's files.
  • CVE-2024-12087 is a 'path traversal' vulnerability, with a CVSSv3 score of 6.5. Successful exploitation of this vulnerability could allow an attacker to write malicious files to an arbitrary location on a user's system. 
  • CVE-2024-12088 is a  'path traversal' vulnerability, with a CVSSv3 score of 6.5. An attacker could exploit this vulnerability to write files outside of the intended directory, potentially placing malicious files on the user's system.

Remediation advice

Affected organisations are encouraged to upgrade RSync to version 3.4.0 or later as soon as practicable. 

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-12084A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.
StatusPublished
CVE-2024-12085A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.
StatusPublished
CVE-2024-12086A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.
StatusPublished
CVE-2024-12087A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
StatusPublished
CVE-2024-12088A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Last edited: 26 February 2025 5:35 pm

Back to top