Google Cloud Discovered A Critical Threat Of Hacking All Unix Systems.
Routine file operations have never been so dangerous.
Six security vulnerabilities have been discovered in Rsync, a popular file synchronization tool for Unix systems, some of which allow attackers to execute arbitrary code on the client system.
CERT Coordination Center (CERT/CC) reported that if they have control of a malicious server, attackers can read and write any files on connected clients. This creates the risk of leaking sensitive information such as SSH keys and executing malicious code by modifying files such as ~/.bashrc or ~/.popt.
The list of discovered vulnerabilities includes:
- CVE-2024-12084 (CVSS 9.8): Heap overflow due to incorrect handling of checksum length;
- CVE-2024-12085 (CVSS 7.5): Data leakage via uninitialized stack contents;
- CVE-2024-12086 (CVSS 6.1): Rsync server leaks arbitrary client files;
- CVE-2024-12087 (CVSS 6.5): Path Traversal Vulnerability;
- CVE-2024-12088 (CVSS 6.5): Bypass of the —safe-links option leading to a path traversal attack;
CVE-2024-12747 (CVSS 5.6): Race condition when handling symbolic links. The first five vulnerabilities were discovered by researchers from Google Cloud Vulnerability Research – Simon Scannell, Pedro Gallegos and Jaziel Spelman. The latest vulnerability was disclosed by security researcher Alexey Gorban.
CVE-2024-12084 is recognized as particularly dangerous; to exploit it, an attacker only needs to have anonymous read access to the Rsync server. As noted by Nick Tate from Red Hat Product Security, the combined use of vulnerabilities * CVE-2024-12084 and CVE-2024-12085 allows arbitrary code execution on a client using the Rsync server.
In version Rsync 3.4.0, available today, the developers have fixed all six vulnerabilities. Users who are unable to update are advised to take the following measures:
For CVE-2024-12084: disable SHA support by compiling with the CFLAGS=-DDISABLESHA512DIGEST and CFLAGS=-DDISABLESHA256DIGEST flags. For CVE-2024-12085: use the -ftrivial-auto-var-init=zero compilation flag to pad the stack contents with zeros.