Title: Over 660,000 Rsync servers exposed to code execution attacks Description: Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers. Keywords: No keywords Text content: Over 660,000 Rsync servers exposed to code execution attacks News Featured Latest January Windows 10 preview update force installs new Outlook Garmin GPS watches crashing, stuck in triangle 'reboot loop' New Apple CPU side-channel attacks steal data from browsers Signal will let you sync old messages when linking new devices This course bundle deal is the affordable way to train for CompTIA exams Microsoft investigates Microsoft 365 outage affecting users, admins FBI seizes domains for Cracked.io, Nulled.to hacking forums Windows 11's Start menu is getting iPhone and Android integration Tutorials Latest Popular How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Virus Removal Guides Latest Most Viewed Ransomware Remove the Theonlinesearch.com Search Redirect Remove the Smartwebfinder.com Search Redirect How to remove the PBlock+ adware browser extension Remove the Toksearches.xyz Search Redirect Remove Security Tool and SecurityTool (Uninstall Guide) How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to remove Antivirus 2009 (Uninstall Instructions) How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller Locky Ransomware Information, Help Guide, and FAQ CryptoLocker Ransomware Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ Downloads Latest Most Downloaded Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums More Startup Database Uninstall Database Glossary Chat on Discord Send us a Tip! Welcome Guide HomeNewsSecurityOver 660,000 Rsync servers exposed to code execution attacks   Over 660,000 Rsync servers exposed to code execution attacks By Bill Toulas January 15, 2025 12:00 PM 2 Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers. Rsync is an open-source file synchronization and data transferring tool valued for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. It supports local file systems transfers, remote transfers over secure protocols like SSH, and direct file syncing via its own daemon. The tool is utilized extensively by backup systems like Rclone, DeltaCopy, ChronoSync, public file distribution repositories, and cloud and server management operations. The Rsync flaws were discovered by Google Cloud and independent security researchers and can be combined to create powerful exploitation chains that lead to remote system compromise. "In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on," reads the bulletin published on Openwall. The six flaws are summarized below: Heap Buffer Overflow (CVE-2024-12084): Vulnerability arising from improper handling of checksum lengths in the Rsync daemon, leading to out-of-bounds writes in the buffer. It affects versions 3.2.7 through < 3.4.0 and can enable arbitrary code execution. Mitigation involves compiling with specific flags to disable SHA256 and SHA512 digest support. (CVSS score: 9.8) Information Leak via Uninitialized Stack (CVE-2024-12085): Flaw allowing the leakage of uninitialized stack data when comparing file checksums. Attackers can manipulate checksum lengths to exploit this vulnerability. It affects all versions below 3.4.0, with mitigation achievable by compiling with the -ftrivial-auto-var-init=zero flag to initialize stack contents. (CVSS score: 7.5) Server Leaks Arbitrary Client Files (CVE-2024-12086): Vulnerability allowing a malicious server to enumerate and reconstruct arbitrary client files byte-by-byte using manipulated checksum values during file transfer. All versions below 3.4.0 are affected. (CVSS score: 6.1) Path Traversal via --inc-recursive Option (CVE-2024-12087): Issue that stems from inadequate symlink verification when using the --inc-recursive option. Malicious servers can write files outside the intended directories on the client. All versions below 3.4.0 are vulnerable. (CVSS score: 6.5) Bypass of --safe-links Option (CVE-2024-12088): Flaw which occurs when Rsync fails to properly verify symbolic link destinations containing other links. It results in path traversal and arbitrary file writes outside designated directories. All versions below 3.4.0 are impacted. (CVSS score: 6.5) Symbolic Link Race Condition (CVE-2024-12747): Vulnerability arising from a race condition in handling symbolic links. Exploitation may allow attackers to access sensitive files and escalate privileges. All versions below 3.4.0 are affected. (CVSS score: 5.6) The CERT Coordination Center (CERT/CC) issued a bulletin warning about the Rsync flaws, marking Red Hat, Arch, Gentoo, Ubuntu NixOS, AlmaLinux OS Foundation, and the Triton Data Center as impacted. However, many more potentially impacted projects and vendors have not responded yet. "When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running," warned CERT/CC. "The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt." In its own bulletin about CVE-2024-12084, RedHat noted that there are no practical mitigations, and the flaw is exploitable in Rsync's default configuration. "Keep in mind that rsync's default rsyncd configuration allows anonymous file syncing, which is at risk of this vulnerability," explains RedHat. "Otherwise, an attacker will need valid credentials for servers which require authentication." All users are advised to upgrade to upgrade to version 3.4.0 as soon as possible. Widespread impact A Shodan search conducted by BleepingComputer shows that there are over 660,000 IP addresses with exposed Rsync servers. Most IP addresses are located in China, with 521,000 exposed, followed by the United States, Hong Kong, Korea, and Germany in much smaller numbers. Shodan map of exposed Rsync servers Of these exposed Rsync servers, 306,517 are running on the default TCP port 873 and 21,239 are listening on port 8873, commonly used for Rsync over SSH tunneling. Binary Edge also shows a large number of exposed Rsync servers, but their numbers are lower, at 424,087. While there are many exposed servers, it is unclear if they are vulnerable to the newly disclosed vulnerabilities as the attackers would need valid credentials or the server must be configured for anonymous connections, which we did not test. All Rsync users are strongly advised to upgrade to version 3.4.0 or configure the daemon to require credentials. For those unable to upgrade now, you can also block TCP port 873 at the perimeter so servers are not remotely accessible. Related Articles: QNAP fixes six Rsync vulnerabilities in NAS backup, recovery appApache fixes remote code execution bypass in Tomcat web serverNew Cleo zero-day RCE flaw exploited in data theft attacksVeeam warns of critical RCE bug in Service Provider ConsoleSonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks Linux Open Source RCE Remote Code Execution Rsync Vulnerability Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Previous Article Next Article Comments h_b_s - 1 week ago     Also unclear is the number of those enumerated devices running rsync ports purposely exposed as part of a honey pot. I wouldn't be surprised if it were a high percentage of honey pots, or actual exposed rsync services either way as it's an extremely useful file transfer protocol especially in Unix environments. That usefulness and ubiquity is also why it's often used as a honey pot lure. leexgx - 1 week ago     So if you haven't secured it (auth just left it as public witch is the default) can't they just download the files anyway Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories DeepSeek halts new signups amid "large-scale" cyberattack Bitwarden makes it harder to hack password vaults without MFA Microsoft Teams phishing attack alerts coming to everyone next month Sponsor Posts Protecting Against Malicious Browser Extensions: The Complete Guide Criminal IP Teams Up with OnTheHub for Digital Education Cybersecurity Password health-check overdue? Audit your Active Directory for free Struggling with Security? Learn how VisionX + Splunk has you covered Get the GOAT Guide to learn how to start validating, start defending, and start winning. Follow us: Main Sections News VPN Buyer Guides SysAdmin Software Guides Downloads Virus Removal Guides Tutorials Startup Database Uninstall Database Glossary Community Forums Forum Rules Chat Useful Resources Welcome Guide Sitemap Company About BleepingComputer Contact Us Send us a Tip! Advertising Write for BleepingComputer Social & Feeds Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT