Critical vulnerabilities in the Rsync file synchronization tool enable attackers to execute arbitrary code on vulnerable servers, exfiltrate sensitive data, and bypass critical security controls.
The vulnerabilities affect Rsync version 3.2.7 and earlier, with proof-of-concept exploits already demonstrating remote code execution capabilities.
Critical Memory Corruption Vulnerabilities
Heap Buffer Overflow in Checksum Handling (CVE-2024-12084)
GitHub reported that the most severe vulnerability stems from improper bounds checking in the checksum parsing implementation. When processing file chunks, Rsync’s sender.c module allocates fixed-size buffers for storing checksum data:
The s2length parameter controlled by connecting clients can exceed the 16-byte buffer allocation when using SHA-256 (32-byte) or SHA-512 (64-byte) digest algorithms.
This allows writing up to 48 bytes beyond the heap buffer’s boundaries, enabling control over critical memory structures.
ASLR Bypass via Stack Information Leak (CVE-2024-12085)
Attackers combine the buffer overflow with an information leak vulnerability in the hash_search function’s stack handling:
By manipulating checksum lengths, attackers can compare known values against uninitialized stack data containing memory addresses. Through statistical analysis of 255 file chunks, researchers demonstrated reliable ASLR bypass by leaking one byte per iteration.
Client-Side File Exfiltration (CVE-2024-12086)
Malicious servers can exploit Rsync’s file comparison logic to read arbitrary client files. By sending specially crafted fnamecmp_type and xname values, attackers bypass path sanitization.
This forces clients to open specified files and transmit checksum mismatch data, enabling byte-by-byte reconstruction of sensitive files through adaptive checksum brute-forcing.
Symbolic Link Exploitation Chain (CVE-2024-12087/12088)
Attackers bypass Rsync’s –safe-links protection using multi-stage directory poisoning:
- Send initial file list creating ./symlink directory
- Follow with updated list replacing directory with symbolic link
- Write files through poisoned path resolution
The vulnerability stems from inadequate validation of cumulative path traversals when resolving nested symbolic links. Safe link verification uses incomplete depth calculation:
unsafe_depth=count_dots(link_target)
This fails to account for subsequent symlinks in resolved paths; enabling boundary escapes through chained directory references.
Combining CVE-2024-12084 and CVE-2024-12085 creates a full remote code execution chain:
- Leak stack memory layout to defeat ASLR
- Craft precise heap overflow payload
- Overwrite function pointers with shellcode addresses
Researchers demonstrated reliable exploitation against Debian 12’s Rsync 3.2.7 daemon configuration. The vulnerabilities are particularly dangerous as they require only anonymous read access to trigger.
Mitigation and Patches
All users must immediately upgrade to Rsync 3.4.0, which includes:
- Strict bounds checking for checksum buffers
- Stack buffer initialization in hash functions
- Enhanced symbolic link validation
- Path sanitization improvements
Administrators should audit Rsync server configurations, disabling anonymous access where possible. Client-side protections require enforcing –safe-links with munge-symlinks for all untrusted connections.
As Rsync remains widely deployed in enterprise backup systems and CI/CD pipelines, prompt patching is essential to prevent large-scale breaches. The released PoC code heightens urgency for remediation efforts across all affected organizations.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
