Over 660,000 Rsync servers exposed to code execution attacks

Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers.

Rsync is an open-source file synchronization and data transferring tool valued for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage.

It supports local file systems transfers, remote transfers over secure protocols like SSH, and direct file syncing via its own daemon.

The tool is utilized extensively by backup systems like Rclone, DeltaCopy, ChronoSync, public file distribution repositories, and cloud and server management operations.

The Rsync flaws were discovered by Google Cloud and independent security researchers and can be combined to create powerful exploitation chains that lead to remote system compromise.

"In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on," reads the bulletin published on Openwall.

The six flaws are summarized below:

• Heap Buffer Overflow (CVE-2024-12084): Vulnerability arising from improper handling of checksum lengths in the Rsync daemon, leading to out-of-bounds writes in the buffer. It affects versions 3.2.7 through < 3.4.0 and can enable arbitrary code execution. Mitigation involves compiling with specific flags to disable SHA256 and SHA512 digest support. (CVSS score: 9.8)
• Information Leak via Uninitialized Stack (CVE-2024-12085): Flaw allowing the leakage of uninitialized stack data when comparing file checksums. Attackers can manipulate checksum lengths to exploit this vulnerability. It affects all versions below 3.4.0, with mitigation achievable by compiling with the -ftrivial-auto-var-init=zero flag to initialize stack contents. (CVSS score: 7.5)
• Server Leaks Arbitrary Client Files (CVE-2024-12086): Vulnerability allowing a malicious server to enumerate and reconstruct arbitrary client files byte-by-byte using manipulated checksum values during file transfer. All versions below 3.4.0 are affected. (CVSS score: 6.1)
• Path Traversal via --inc-recursive Option (CVE-2024-12087): Issue that stems from inadequate symlink verification when using the --inc-recursive option. Malicious servers can write files outside the intended directories on the client. All versions below 3.4.0 are vulnerable. (CVSS score: 6.5)
• Bypass of --safe-links Option (CVE-2024-12088): Flaw which occurs when Rsync fails to properly verify symbolic link destinations containing other links. It results in path traversal and arbitrary file writes outside designated directories. All versions below 3.4.0 are impacted. (CVSS score: 6.5)
• Symbolic Link Race Condition (CVE-2024-12747): Vulnerability arising from a race condition in handling symbolic links. Exploitation may allow attackers to access sensitive files and escalate privileges. All versions below 3.4.0 are affected. (CVSS score: 5.6)

The CERT Coordination Center (CERT/CC) issued a bulletin warning about the Rsync flaws, marking Red Hat, Arch, Gentoo, Ubuntu NixOS, AlmaLinux OS Foundation, and the Triton Data Center as impacted.

However, many more potentially impacted projects and vendors have not responded yet.

"When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running," warned CERT/CC.

"The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt."

In its own bulletin about CVE-2024-12084, RedHat noted that there are no practical mitigations, and the flaw is exploitable in Rsync's default configuration.

"Keep in mind that rsync's default rsyncd configuration allows anonymous file syncing, which is at risk of this vulnerability," explains RedHat.

"Otherwise, an attacker will need valid credentials for servers which require authentication."

All users are advised to upgrade to upgrade to version 3.4.0 as soon as possible.

Widespread impact

A Shodan search conducted by BleepingComputer shows that there are over 660,000 IP addresses with exposed Rsync servers.

Most IP addresses are located in China, with 521,000 exposed, followed by the United States, Hong Kong, Korea, and Germany in much smaller numbers.

Of these exposed Rsync servers, 306,517 are running on the default TCP port 873 and 21,239 are listening on port 8873, commonly used for Rsync over SSH tunneling.

Binary Edge also shows a large number of exposed Rsync servers, but their numbers are lower, at 424,087.

While there are many exposed servers, it is unclear if they are vulnerable to the newly disclosed vulnerabilities as the attackers would need valid credentials or the server must be configured for anonymous connections, which we did not test.

All Rsync users are strongly advised to upgrade to version 3.4.0 or configure the daemon to require credentials.

For those unable to upgrade now, you can also block TCP port 873 at the perimeter so servers are not remotely accessible.