Security vulnerabilities in the Rsync file synchronization tool could affect up to 660,000 servers.

Rsync, a widely used open-source tool for file transfer and synchronization, has been identified with multiple vulnerabilities that could be exploited by malicious actors, including remote code execution (RCE). This situation puts hundreds of thousands of devices at serious risk. The warning comes from various cybersecurity experts, including researchers from Google Cloud, who recently reported these flaws.

Two independent groups of researchers have detected a total of six vulnerabilities. The most critical one, classified as CVE-2024-12084, allows an attacker to execute arbitrary code on a server running Rsync, with only anonymous read access, such as what would be available in a public mirror. The severity of this vulnerability is rated at 9.8 and affects versions from 3.2.7 up to, but not including, 3.4.0.

In addition to this, the other vulnerabilities are: CVE-2024-12085 (information leak through an uninitialized stack), CVE-2024-12086 (server leaks arbitrary client files), CVE-2024-12087 (path traversal), CVE-2024-12088 (bypass of the --safe-links option), and CVE-2024-12747 (symbolic link race condition).

The CERT Coordination Center (CERT/CC) has indicated that several distributions, including Red Hat, Arch, Gentoo, Ubuntu, NixOS, and AlmaLinux OS Foundation, are affected, while warning that many other projects and vendors could also be at risk.

The combination of the two most critical vulnerabilities allows a client to execute arbitrary code on any device running an active Rsync server. A quick analysis performed through Shodan revealed approximately 660,000 instances that could be affected, most of which (521,000) are located in China, with the remainder spread between the United States, Hong Kong, Korea, and Germany.

All Rsync users are advised to upgrade to version 3.4.0 as soon as possible or, at the very least, to block TCP port 873 to mitigate the risk.