Ancestors

Toot

Written by Jan Schaumann on 2025-01-14 at 18:26

6 new CVEs in "rsync".

"In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on."

That would be CVE-2024-12084 (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, a heap-based buffer overflow in rsyncd.

https://www.openwall.com/lists/oss-security/2025/01/14/3

=> More informations about this toot | More toots from jschauma@mstdn.social

Descendants

Written by Jan Schaumann on 2025-01-14 at 19:45

Anybody know whether the issue in CVE-2024-12084 is strictly within "rsyncd", or does this also affect "rsync --server --sender"?

If so, then that would impact a lot more deployments, i.e., those that depend on SSH as the transport.

=> More informations about this toot | More toots from jschauma@mstdn.social

Written by Parade du Grotesque 💀 on 2025-01-14 at 18:35

@jschauma

Ouch!

=> More informations about this toot | More toots from ParadeGrotesque@mastodon.sdf.org

Written by bert hubert 🇺🇦🇪🇺 on 2025-01-14 at 18:48

@jschauma I spent good time investigating if I should enable an anonymous rsync server for a DNA project and on balance I decided it felt too risky. Really sucks that there is almost nothing left we can trust.

=> More informations about this toot | More toots from bert_hubert@fosstodon.org

Written by Fazal Majid on 2025-01-14 at 19:33

@bert_hubert @jschauma have you looked at Unison? It uses the rsync algorithm but it is bidrectional. Regarding security, it's as secure as SSH (as is using rsync in SSH mode).

I do have at least one device (UnifyDrive UT2) that uses rsyncd for software updates. Well, perhaps here is my opportunity to root its locked-down OS after all 🙂

=> More informations about this toot | More toots from fazalmajid@vivaldi.net