Cyber security news for all

More

    Google Cloud Researchers Expose Critical Vulnerabilities in Rsync File Synchronization Tool

    Google Cloud’s vulnerability research team has uncovered six security flaws in Rsync, a widely-used file synchronization utility for Unix-based systems. These vulnerabilities, some with the potential for arbitrary code execution on connected clients, pose significant risks to users.

    “Attackers could compromise a malicious server to manipulate or exfiltrate arbitrary files from any connected client,” warned the CERT Coordination Center (CERT/CC) in a security advisory. “Sensitive assets like SSH keys could be extracted, and malicious payloads may be deployed by overwriting critical files such as ~/.bashrc or ~/.popt.”

    Overview of the Disclosed Vulnerabilities

    The identified issues encompass multiple attack vectors, including heap-buffer overflows, file leaks, and symbolic-link race conditions. The six vulnerabilities are detailed below:

    • CVE-2024-12084 (CVSS score: 9.8): A heap-buffer overflow caused by improper checksum length handling.
    • CVE-2024-12085 (CVSS score: 7.5): Information leakage stemming from uninitialized stack contents.
    • CVE-2024-12086 (CVSS score: 6.1): Arbitrary file leakage by the Rsync server.
    • CVE-2024-12087 (CVSS score: 6.5): Path traversal vulnerability that allows unauthorized access to restricted directories.
    • CVE-2024-12088 (CVSS score: 6.5): Exploitation of the --safe-links option to bypass path traversal protections.
    • CVE-2024-12747 (CVSS score: 5.6): A symbolic-link race condition that exposes risks during file handling.

    The first five vulnerabilities were reported by Simon Scannell, Pedro Gallegos, and Jasiel Spelman from Google Cloud Vulnerability Research, while the symbolic-link race condition was identified by independent researcher Aleksei Gorban.

    Implications of the Vulnerabilities

    Among the flaws, CVE-2024-12084 stands out as the most critical. Nick Tait from Red Hat Product Security explained, “This vulnerability allows attackers with anonymous read access to an Rsync server—such as a public mirror—to execute arbitrary code on the server’s host machine.”

    CERT/CC emphasized that combining CVE-2024-12084 and CVE-2024-12085 could enable attackers to achieve arbitrary code execution on a client running an Rsync server.

    Patches and Mitigations

    The vulnerabilities have been addressed in Rsync version 3.4.0, which was released earlier today. Users are strongly urged to update to the patched version immediately. For those unable to apply the update, CERT/CC recommends the following mitigations:

    • CVE-2024-12084: Disable SHA* algorithms by compiling with CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST.
    • CVE-2024-12085: Compile with the flag -ftrivial-auto-var-init=zero to initialize stack contents to zero.

    The Takeaway

    This discovery underscores the critical importance of proactive security measures in file synchronization tools and highlights the need for timely updates to mitigate risks. The Rsync vulnerabilities serve as a cautionary tale for organizations relying on legacy software without adequate safeguards against evolving cyber threats.

    Recent Articles

    Related Stories