Security researchers at Google (Pedro Gallegos, Simon Scannell, and Jasiel Spelman) discovered vulnerabilities in the rsync server and rsync client. The rsync server vulnerabilities (CVE-2024-12084 and CVE-2024-12085) ultimately allow remote code execution (RCE). The rsync client vulnerabilities allow a malicious server to read arbitrary files (CVE-2024-12086), create unsafe symlinks (CVE-2024-12087) and overwrite arbitrary files in certain circumstances (CVE-2024-12088).

During the coordinated vulnerability response of the above issues, a sixth vulnerability (CVE-2024-12747) which affects how the rsync server handles symlinks was reported by Aleksei Gorban.

Canonical’s security team has released updates of the rsync packages for all supported Ubuntu releases. The updates remediate CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747. Information on the affected versions can be found in the CVE pages linked above.

How the exploits work

Google researchers discovered that the rsync server is vulnerable to a heap buffer overflow (CVE-2024-12084) and an information leak of uninitialized stack data (CVE-2024-12085). By combining the two vulnerabilities, a malicious client with anonymous read-access can defeat ASLR (address space layout randomization) and remotely execute arbitrary code on the rsync server machine. These vulnerabilities were introduced in rsync v3.2.7, so Ubuntu 20.04 LTS and earlier releases are not vulnerable to this attack chain.

Three additional vulnerabilities affect the rsync client. CVE-2024-12086 is a path traversal vulnerability which allows a malicious server to read any file the client process can access. CVE-2024-12087 allows a malicious server to bypass –safe-links and create unsafe symbolic links. CVE-2024-12088 is another path traversal vulnerability which allows a malicious server to overwrite arbitrary files on the client’s machine under certain circumstances.

Aleksei Gorban discovered an additional vulnerability in the rsync server (CVE-2024-12747). In this case, rsync improperly handles symlinks during a race condition and can be used to leak sensitive information to a remote attacker.

Affected releases

Release	Package Name	Fixed Version
Trusty (14.04 LTS)	rsync	3.1.0-2ubuntu0.4+esm1
Xenial (16.04 LTS)	rsync	3.1.1-3ubuntu1.3+esm3
Bionic (18.04 LTS)	rsync	3.1.2-2.1ubuntu1.6+esm1
Focal (20.04 LTS)	rsync	3.1.3-8ubuntu0.8
Jammy (22.04 LTS)	rsync	3.2.7-0ubuntu0.22.04.3
Noble (24.04 LTS)	rsync	3.2.7-1ubuntu1.1
Oracular (24.10)	rsync	fix not available

How to check if you are impacted

On your system, run the following command and compare the listed version to the table above.

dpkg -l rsync

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the affected component can be targeted:

sudo apt update && sudo apt install --only-upgrade rsync

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service applies new security updates every 24 hours automatically. In other words, if you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Acknowledgements

Many thanks to Pedro Gallegos, Simon Scannell, and Jasiel Spelman at Google for their researching and reporting these vulnerabilities, to Aleksei Gorban for their research, to Andrew Tridgell and Wayne Davison from rsync for creating security patches, and to CERT/CC’s VINCE for vulnerability coordination.

References

https://www.openwall.com/lists/oss-security/2025/01/14/3
https://www.kb.cert.org/vuls/id/952657
https://www.mail-archive.com/rsync-announce@lists.samba.org/msg00114.html