CVE-2024-12084
Public on
Last Modified:
Description
A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.
Statement
This vulnerability only affects a limited range of Rsync versions, rsync-3.2.7 and rsync-3.3.0. Red Hat Enterprise Linux does not ship these versions of Rsync and is not affected.
Red Hat considers the severity of this vulnerability to be Critical only in cases where anonymous read access is allowed. Depending on the configuration and implementation choices, the severity may be significantly reduced for your organization.
In all supported versions of Red Hat Enterprise Linux, Rsync is not configured to run as a service by default.
There are two different methods for utilizing Rsync from a remote system: contacting an Rsync daemon directly with TCP or using a remote-shell program as the transport (such as ssh or rsh). The risk of this vulnerability changes depending on which connection method is used.
The default configuration of an Rsync daemon (rsyncd) running as a service does not require authentication. While rsyncd can be configured to require users to provide valid credentials, anonymous read access is a common configuration used by file sharing and mirroring hosts. The capabilities of the rsyncd process may vary depending on the user configured to run the Rsync daemon. In this scenario, an attacker only requires anonymous read access to a Rsync server in order to trigger this vulnerability.
Remote-shell programs provide a layer of defense because they enforce users to have valid credentials while initiating the shell connection. When Rsync is invoked via this method, it spawns as a child of the session and will not remain running indefinitely. Since the process is spawned within the security context of the user, an attacker who is able to exploit this vulnerability remains restricted to the capabilities of the user account used to initiate the session. Authentication and network restrictions significantly reduce the attack surface and restricting permissions for remote shell users is always encouraged to limit the impact of compromised credentials.
Mitigation
Red Hat recommends filtering untrusted connections to Rsync via firewall rules on the host and on network firewall appliances.
Additionally, systems which only need to provide remote Rsync access to users with known identities can enable authentication using the
auth usersparameter in their rsyncd configuration file (rsyncd.conf).
Systems that provide anonymous read access to hosted files via Rsync, such as mirror hosts, do not have reasonable mitigation options available. We strongly urge operators using vulnerable versions of Rsync to update as soon as possible.
Additional information
- Bugzilla 2330527: rsync: Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling
- CWE-122: Heap-based Buffer Overflow
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
The following CVSS metrics and score provided are preliminary and subject to review.
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 9.8 | N/A |
Attack Vector | Network | N/A |
Attack Complexity | Low | N/A |
Privileges Required | None | N/A |
User Interaction | None | N/A |
Scope | Unchanged | N/A |
Confidentiality Impact | High | N/A |
Integrity Impact | High | N/A |
Availability Impact | High | N/A |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Understanding the Weakness (CWE)
Availability
Technical Impact: DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory)
Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Integrity,Confidentiality,Availability,Access Control
Technical Impact: Execute Unauthorized Code or Commands; Bypass Protection Mechanism; Modify Memory
Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.
Integrity,Confidentiality,Availability,Access Control,Other
Technical Impact: Execute Unauthorized Code or Commands; Bypass Protection Mechanism; Other
When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
Acknowledgements
Red Hat would like to thank Jasiel Spelman (Google), Pedro Gallegos (Google), and Simon Scannell (Google) for reporting this issue.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
My product is listed as "Out of Support Scope". What does this mean?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
