Top file synchronization tool Rsync security flaws mean up to 660,000 servers possibly affected

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

(Image credit: Shutterstock)

Rysinc was found to be vulnerable to at least six flaws
One of the bugs is a critical-severity RCE, experts warn
Users and vendors are advised to update to version 3.4.0 immediately

Rsync, a popular open source file transfer and synchronization tool has been found carrying multiple vulnerabilities that allowed threat actors to conduct all kinds of malicious activities, remote code execution (RCE) included. As a result, hundreds of thousands of endpoints are at serious risk.

The warning comes from multiple cybersecurity researchers, including those from Google Cloud, who recently discovered and reported the flaws.

“Two independent groups of researchers have identified a total of 6 vulnerabilities in rsync. In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on,” a security advisory published on Openwall reads. “Upstream has prepared patches for these CVEs. These fixes will be included in rsync 3.4.0 which is to be released shortly.”

Applying the fix

The most severe vulnerability is tracked as CVE-2024-12084, and is described as a heap buffer overflow bug arising from improper handling of checksum lengths in the Rsync daemon. It was given a severity score of 9.8, and said to affect versions 3.2.7 through < 3.4.0.

Other flaws are CVE-2024-12085 (information leak via uninitialized stack), CVE-2024-12086 (server leaks arbitrary client files), CVE-2024-12087 (path traversal), CVE-2024-12088 (bypass of –safe-links Option), and CVE-2024-12747 (symbolic link race condition).

The CERT Coordination Center (CERT/CC) labeled Red Hat, Arch, Gentoo, Ubuntu NixOS, AlmaLinux OS Foundation, and the Triton Data Center all as impacted, but added that there are “many more” potentially impacted projects and vendors.

"When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running," warned CERT/CC.

BleepingComputer also ran a quick Shodan scan which came back with 660,000 potentially affected instances. The majority (521,000) is located in China, with the remaining being split between the United States, Hong Kong, Korea, and Germany.

All Rsync users should upgrade to version 3.4.0 as soon as possible, or at least block TCP port 873.

Popular file transfer software has a seriously dangerous security bug that gives anyone free administrator rights — so patch it now to avoid another Moveit-like debacle
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.