ClickCease Six Vulnerabilities Put 660,000+ Rsync Servers at RCE Risk

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Six Vulnerabilities Put 660,000+ Rsync Servers at RCE Risk

by Rohan Timalsina

January 29, 2025 - TuxCare expert team

There’s been some concerning news in the cybersecurity world: over 660,000 Rsync servers have been exposed to potential attacks due to six newly discovered vulnerabilities. Among them is a critical heap-buffer overflow flaw (CVE-2024-12084) that enables remote code execution (RCE) on servers.

Rsync is a popular utility used for file synchronization and data transfer in Linux. Many users rely on it for incremental backups, server management, and distributing files publicly. While it’s a very efficient tool, these new vulnerabilities highlight the dangers of having outdated servers.

 

A Closer Look at the Rsync Vulnerabilities

 

Researchers at Google Cloud and other independent contributors discover these flaws, and they’ve shown how these could be chained together for complex attacks. Essentially, these vulnerabilities could allow attackers to compromise systems through anonymous access or poorly configured servers.

These six vulnerabilities affect Rsync versions older than 3.4.0, and they range from critical to moderate in severity:

 

Heap Buffer Overflow (CVE-2024-12084)

This one’s the most critical with a CVSS score of 9.8. It allows arbitrary code execution because of how checksum lengths are handled. It affects versions 3.2.7 up to (but not including) 3.4.0. A workaround is to recompile Rsync with specific flags to disable SHA256/SHA512 support.

 

Information Leak via Uninitialized Stack (CVE-2024-12085)

This flaw can expose sensitive data by manipulating checksum lengths. It affects all versions before 3.4.0. Compiling with flags to initialize stack contents can mitigate this. It has a CVSS score of 7.5 (High).

 

Server Leaks Arbitrary Client Files (CVE-2024-12086)

By manipulating checksum values, attackers could reconstruct client files. This vulnerability affects all versions before 3.4.0 and has a CVSS score of 6.1 (Medium).

 

Path Traversal via –inc-recursive Option (CVE-2024-12087)

This flaw lets attackers write files outside of intended directories by exploiting the gaps in symlink verification. It affects all versions before 3.4.0 and has a CVSS score of 6.5 (Medium).

 

Bypass of –safe-links Option (CVE-2024-12088)

Attackers can use symbolic links with nested paths to write arbitrary files. This affects all versions before 3.4.0 and has a CVSS score of 6.5 (Medium).

 

Symbolic Race Condition (CVE-2024-12747)

This vulnerability allows attackers to escalate their privileges by exploiting race conditions in how links are handled. It affects all versions before 3.4.0 and has a CVSS score of 5.6 (Medium).

 

The Scale of the Problem

 

A Shodan search identified over 660,000 exposed Rsync servers globally. Alarmingly, more than 500,000 of these are in China, followed by smaller numbers in the United States, Hong Kong, and Germany. Most servers run on the default TCP port 873, while others use port 8873 for Rsync over SSH tunneling. Not all exposed servers are vulnerable, but those allowing anonymous connections are at the highest risk.

 

Who Is Affected?

 

CERT/CC has confirmed the vulnerabilities affect all Rsync versions below 3.4.0, potentially impacting major Linux distributions like Red Hat, Ubuntu, AlmaLinux, and Gentoo. Public mirrors configured for anonymous access are particularly vulnerable, as attackers need minimal access to exploit the most severe flaws.

When paired together, certain vulnerabilities (like the heap-buffer overflow and information leak flaws) allow attackers to execute code on servers with just anonymous read access. Attackers can then use malicious servers to target connected clients, stealing sensitive data or injecting malicious code by tampering with key files like ~/.bashrc.

 

What Can You Do to Stay Safe?

 

Here’s what system administrators and organizations should do immediately:

  • Upgrade to Rsync 3.4.0: This version fixes all the reported vulnerabilities.
  • Restrict Access: Make sure credentials are required for all Rsync server connections.
  • Block TCP Port 873: Prevent the Rsync daemon from being accessible from untrusted networks.
  • Use Security Flags: If you can’t upgrade immediately, recompiling Rsync with specific flags can help minimize your exposure.

 

Conclusion

 

Red Hat’s advisory on CVE-2024-12084 points out that default rsyncd configuration allows anonymous file syncing, leaves Rsync servers particularly vulnerable. The time to act is now — don’t wait until attackers exploit these flaws. As exploitation attempts are likely to increase, organizations using Rsync need to act quickly to mitigate the risks and protect their systems by updating to version 3.4.0.

 

The sources for this article include a story from BleepingComputer.

Summary
Six Vulnerabilities Put 660,000+ Rsync Servers at RCE Risk
Article Name
Six Vulnerabilities Put 660,000+ Rsync Servers at RCE Risk
Description
Explore six new vulnerabilities impacting over 660,000 Rsync servers and learn how to secure your servers with essential updates.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer