Critical Vulnerability in Linux Rsync Tool Allows Remote Code Execution

15.01.2025

 

Security researchers have identified six critical vulnerabilities in rsync, a widely used file synchronization and transfer tool for Linux systems. Among these, the most severe flaw, CVE-2024-12084, has been assigned a CVSS score of 9.8, reflecting its critical severity. This vulnerability arises from a heap-based buffer overflow caused by improper handling of checksum lengths, allowing attackers to execute arbitrary code on systems running rsync servers with anonymous read access.

The issues, uncovered by independent research teams including members of Google Cloud Vulnerability Research, affect all versions of rsync prior to 3.4.0. Released on January 14, 2025, version 3.4.0 addresses these vulnerabilities, which could otherwise enable attackers to compromise the integrity and security of systems relying on rsync.

Additional vulnerabilities include CVE-2024-12085, which facilitates information leakage by exploiting checksum comparisons with uninitialized memory, and CVE-2024-12086, allowing malicious servers to reconstruct arbitrary file contents on client machines. Other flaws include a path traversal bug (CVE-2024-12087), an option bypass leading to unauthorized file writes (CVE-2024-12088), and a race condition in symbolic link handling (CVE-2024-12747), which could escalate privileges.

Given rsync’s critical role in backup systems, software distribution, and public mirrors, these vulnerabilities pose significant risks to the broader technology ecosystem. Tools like Rclone and DeltaCopy, which rely on rsync as a backend, may also be indirectly affected. As a result, experts strongly recommend upgrading to version 3.4.0 without delay.

For systems where immediate updates are not feasible, temporary mitigations include disabling checksum options on rsync servers. This incident underscores the ongoing need for regular security audits and timely updates, even for well-established tools, to safeguard systems against evolving cyber threats.

en_USEnglish