rsync, a veteran file synchronization tool, contains several vulnerabilities. The new 3.4.0 release is already available with fixes.
About six vulnerabilities have been found in the tool. One of them is clearly the most worrisome: CVE-2024-12084. This vulnerability allows attackers to exploit a heap-buffer overflow to execute remote code. BleepingComputer found that at least 660,000 servers are exposed to this vulnerability. The vast majority (521,578) are in China.
More vulnerabilities
The remaining vulnerabilities are assigned the codes CVE-2024-12084 to -12088 and CVE-2024-12747. No other vulnerability beyond CVE-2024-12084 scores a higher CVSS score than 7.5. Nevertheless, the aforementioned remote code execution can be achieved in the simplest way by combining CVE-2024-12084 and 12085.
Multiple security experts have addressed these cyber dangers, including those from Google, CERT/CC and Red Hat, which runs Linux distributions with rsync. In addition to Red Hat, the Linux distributions of AlmaLinux OS Foundation, Arch, Gentoo Triton Data Center and Ubuntu NiOS are also vulnerable.
Old tool with known problems
The maintainer (and one of the creators) of rsync, Andrew Tridgell, has made an update available. It has since been succeeded by version 3.4.1. It is the first time since 2002 that Tridgell has released another new release of this. The tool itself dates back to 1996 and is written in C. That older age is, in fairness, also reflected in the (ultimately completely functional) website design on which rsync resides.
The array of vulnerabilities shows that even the oldest utilities still contain dangers. Popular open source projects like these are hiding in everything. This was also evident with compression tool xz last year, whose backdoor was discovered in the nick of time before it made its way into a popular Ubuntu LTS release.
Also read: xz backdoor shows how vulnerable open-source is to hackers playing the long game