Addressing rsync CVEs in vCenter Photon OS 4.0
Article ID: 388935
Updated On:
Products
Issue/Introduction
This knowledge article addresses several critical vulnerabilities (CVEs) discovered in rsync, a widely-used file synchronization tool. The vulnerabilities range from buffer overflow flaws and checksum manipulation to path traversal and symbolic link handling issues. These flaws, including CVE-2024-12084 through CVE-2024-12747, can potentially lead to out-of-bounds writes, data leaks, unauthorized file access, and privilege escalation. Each CVE highlights specific scenarios where attackers could exploit the vulnerabilities, often through specially crafted inputs or by manipulating server-client interactions during file transfers. Understanding these vulnerabilities and applying necessary patches is crucial for securing rsync environments.
- CVE-2024-12084 - https://nvd.nist.gov/vuln/detail/CVE-2024-12084
- CVE-2024-12085 - https://nvd.nist.gov/vuln/detail/CVE-2024-12085
- CVE-2024-12086 - https://nvd.nist.gov/vuln/detail/CVE-2024-12086
- CVE-2024-12087 - https://nvd.nist.gov/vuln/detail/CVE-2024-12087
- CVE-2024-12088 - https://nvd.nist.gov/vuln/detail/CVE-2024-12088
- CVE-2024-12747 - https://nvd.nist.gov/vuln/detail/CVE-2024-12747
Cause
The vulnerabilities in rsync are primarily caused by improper handling of certain input data and insufficient validation checks during critical operations like checksum comparisons, file path handling, and symbolic link processing. rsync allows files and directories to be flexibly transferred locally and remotely.
CVE-2024-12084 and CVE-2024-12085 ultimately allow remote code execution (RCE) which allows manipulation of checksum lengths, leading to buffer overflows and uninitialized memory reads. By combining the two vulnerabilities, a malicious client with anonymous read-access can defeat ASLR (address space layout randomization) and remotely execute arbitrary code on the rsync server machine.
CVE-2024-12086 is triggered by improper handling of file checksums, enabling potential data enumeration from the client’s machine.
The path traversal vulnerabilities in CVE-2024-12087 and CVE-2024-12088 result from insufficient validation of symbolic links and file paths, allowing attackers to write files to arbitrary locations or bypass intended directory restrictions.
CVE-2024-12747 is caused by a race condition in symbolic link handling, where an attacker can exploit timing to bypass rsync’s default behavior, potentially leading to sensitive data leakage or privilege escalation.
Resolution
VMware by Broadcom are aware of these vulnerabilities and has addressed this in the upcoming release of vCenter as it will update rsync to rsync-3.4.1.
Only vCenter servers using the rsync version between rsync 3.2.7 and 3.4.0 are affected by the heap overflow vulnerability. vCenter Servers running on rsync version lower than 3.2.7 or higher than 3.4.0 are not impacted as these vulnerabilities were introduced in rsync v3.2.7.
To check the rsync version on vCenter, run the following command:
rpm -qa | grep -i rsync
Feedback
