In RSYNC, a popular file synchronization tool for Unix systems, six vulnerabilities were found, some of which allow attackers to execute arbitrary code on the client system.
Cert Coordination Center (Cert/CC) reported that, if attackers gain control of a malicious server, they can read and record any files on connected clients. This poses a threat of leakage of confidential information, such as SSH keys, and malicious code execution by altering files like ~/.bashrc or ~/.popt.
The list of vulnerabilities found includes:
- cve-2024-12084 (CVSS 9.8): heap overflow due to incorrect processing of control amount length;
- cve-2024-12085 (CVSS 7.5): data leakage through unmodified stack content;
- cve-2024-12086 (CVSS 6.1): leakage of client’s arbitrary files by RSYNC server;
- cve-2024-12087 (CVSS 6.5): vulnerability in path tracking;
- cve-2024-12088 (CVSS 6.5): exploitation of option-SAFE-LINKS leading to path tracking attack;
- cve-2024-12747 (CVSS 5.6): race condition when processing symbolic links.
The first five vulnerabilities were discovered by researchers from Google Cloud Vulnerabilities Research – Simon Scannell, Pedro Gallegos, and Jaziel Spelman. The last vulnerability was disclosed by security researcher Alexei Gorban.
CVE-2024-12084 is notably