Description
A critical vulnerability has been identified in the rsync daemon due to a heap-based buffer overflow flaw. This issue arises from improper handling of attacker-controlled checksum lengths (s2length) in the code. When the maximum digest length (MAX_DIGEST_LEN) exceeds the fixed SUM_LENGTH (16 bytes), it allows an attacker to write out of bounds in the sum2 buffer.
Affected Product(s)
- Debian 12 (bookworm) version: rsync version less than 3.2.7-1+deb12u1
- Debian 12 (bookworm-security) version: rsync version less than 3.2.7-1+deb12u1
- Various versions of openSUSE, Ubuntu, Slackware, Fedora, Alpine Linux, VMware Photon OS, FreeBSD, Gentoo, SUSE Enterprise Linux, Microsoft Azure Linux
Technical Details
The rsync utility is widely used for file transfer and synchronization across systems due to its efficient delta encoding algorithm, which minimizes data transfer by only sending the differences between source and destination files. However, a critical vulnerability, CVE-2024-12084, has been discovered affecting rsync, specifically related to the heap-based buffer overflow due to improper handling of checksum lengths.
The vulnerability lies in the main checksum calculation logic of rsync. During synchronization, checksum lengths can be manipulated by an attacker. If the attacker sets the checksum length (s2length) greater than the fixed constant SUM_LENGTH (which is 16 bytes), the program can write out of bounds. This causes corruption in the sum2 buffer, leading to potential remote code execution or other unintended behaviors.
When the attacker conveys an excessive checksum length (greater than 16 bytes), the memory allocation for storing these checksums does not sufficiently handle the extra data. Hence, this excessive data overflows into adjacent memory regions. This not only corrupts the data within the rsync daemon but also leaves it vulnerable to arbitrary code execution, allowing full control over the server by a remote unauthorized actor. Because of the simplistic nature of this overflow, it is rated as a critical vulnerability. Several known distributions and versions are affected by this vulnerability, including but not limited to Debian, openSUSE, Ubuntu, and Fedora among many others.
Diverse Linux distributions that embed rsync as a default or optional package are impacted, as the core codebase shared among these distributions includes this vulnerability. The rsync version affected by this vulnerability is all versions prior to 3.2.7-1. Significant work has been conducted by the open-source community, as well as security experts, to patch and mitigate this vulnerability.
The remediation primarily involves checking and limiting the checksum length to prevent overflow conditions. This vulnerability can be exploited to cause heap corruption. The heap is an area of memory used dynamically by applications for storing data. Violence against this area through unexpected large checksum lengths can cause the program to execute malicious payloads.
The attack vectors likely involve direct communication with the rsync daemon over network protocols, making it a high-risk factor in network-attached storage and backup systems. Detailed information and remediation steps have been reported by several security advisories including Red Hat, Debian, and SUSE. Exploiting CVE-2024-12084 involves exploitation tools which craft specific payloads, which have been showcased in various security demonstration platforms and proof-of-concept repositories.
Weakness
The identified weakness, CWE-122, corresponds to a heap-based buffer overflow. This weakness involves the incorrect handling of buffer lengths and inadequate boundary checking during memory operations, leading to potential corruption of memory and unauthorized behavior executions.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code within the context of the rsync daemon, or entirely compromise the system running rsync. The potential impacts include data breaches, system downtime, or full control over the affected systems.
Active Exploitation
We have observed activity from multiple adversary groups that specialize in exploiting buffer overflow vulnerabilities. These groups have previously targeted similar weaknesses in network-accessible services, indicating a heightened risk of exploitation for rsync daemons left unpatched.
Ransomware Association
There is no direct association with a specific ransomware linked to this vulnerability. However, given the critical nature of this vulnerability, it represents a high-risk factor for initial system compromise, which could be utilized as a precursor for ransomware deployment by attackers.
Mitigation and Resolution
A patch addressing this vulnerability has been released. Users are urged to update to rsync version 3.2.7-1+deb12u1 (for Debian-based systems) or the corresponding fixed versions for their respective distributions immediately. Additionally, security advisories from Red Hat, Debian, SUSE, and other vendors provide guidelines for updating affected systems and packages.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Update rsync to version 3.2.7-1+deb12u1 or later on Debian-based systems.
- For other distributions, ensure rsync package is updated to the version that includes the CVE-2024-12084 fix.
- Restrict network access to rsync daemon from untrusted networks.
- Monitor systems for unusual activity, specifically related to rsync processes.
- Implement application layer filtering to minimize exposure.
Referencesย
- OpenWall OSS Security Advisory
- RedHat Security Advisory
- Bugzilla Advisory
- CERT Vulnerability Advisory
- NVD Database
- CVE MITRE Details