Google Cloud Researchers Uncover Flaws in Rsync File Synchronization Tool
Latest News on Rsync Vulnerabilities (2025)
As of January 2025, six critical security vulnerabilities have been discovered in the Rsync file-synchronizing tool, which is widely used in Unix systems for file synchronization and transfer. Here is a detailed overview of these vulnerabilities and the necessary actions to mitigate them.
Identified Vulnerabilities
CVE-2024-12084
- Heap-Buffer Overflow: This vulnerability, with a CVSS score of 9.8, is the most severe and allows attackers to execute arbitrary code on the machine running the Rsync server. It arises from improper handling of attacker-controlled checksum lengths, enabling out-of-bounds writes that can lead to code execution125.
CVE-2024-12085
- Information Leak: This vulnerability has a CVSS score of 7.5 and enables attackers to access uninitialized memory, potentially revealing sensitive data. It occurs when checksum lengths are manipulated to force comparisons between checksums and uninitialized memory125.
CVE-2024-12086
- File Leak: With a CVSS score of 6.1, this vulnerability allows malicious Rsync servers to extract arbitrary files from clients by exploiting the file comparison process during transfers125.
CVE-2024-12087
- Path Traversal: This vulnerability, with a CVSS score of 6.5, involves a path traversal flaw that can be exploited when using the
--inc-recursiveoption. It allows a malicious server to write files outside the client's intended destination directory by exploiting improper symlink verification124.
CVE-2024-12088
- --safe-links Option Bypass: Also with a CVSS score of 6.5, this vulnerability allows attackers to bypass the
--safe-linksoption, leading to unauthorized file writes and path traversal125.
CVE-2024-12747
- Symbolic-Link Race Condition: This vulnerability, with a CVSS score of 5.6, involves a race condition when handling symbolic links, which could lead to privilege escalation. It was discovered by security researcher Aleksei Gorban125.
Impact and Exploitation
- These vulnerabilities affect all Rsync versions prior to 3.4.0 and can be exploited in various ways, including arbitrary code execution, sensitive data leakage, and unauthorized file writes. An attacker with anonymous read access to an Rsync server can exploit the most severe vulnerability (CVE-2024-12084) to execute arbitrary code on the server125.
- Combining CVE-2024-12084 and CVE-2024-12085 can also lead to arbitrary code execution on a client that has an Rsync server running1.
Mitigation and Patches
- Patches for these vulnerabilities have been released in Rsync version 3.4.0, which was made available on January 14, 2025. Users are strongly advised to update their Rsync installations to this version125.
- For users unable to apply the update immediately, several mitigations are recommended:
- Disable SHA* support by compiling with
CFLAGS=-DDISABLE_SHA512_DIGESTandCFLAGS=-DDISABLE_SHA256_DIGESTfor CVE-2024-12084. - Compile with
-ftrivial-auto-var-init=zeroto zero the stack contents for CVE-2024-12085. - Add “refuse options = checksum” to the configuration file to disable checksum options on Rsync servers15.
- Disable SHA* support by compiling with
Widespread Use and Concerns
- Rsync is a core component in many backup programs, including Rclone, DeltaCopy, and ChronoSync, and is commonly used in daemon mode for public mirrors. This widespread use makes these vulnerabilities particularly concerning for organizations and individuals relying on these services25.
In summary, the recent discovery of these vulnerabilities in Rsync underscores the importance of regular security audits and prompt patching, even for long-standing and widely trusted tools. Immediate updating to Rsync version 3.4.0 is highly recommended to prevent potential exploits.