On January 14, Google Cloud and other independent security researchers announced the discovery of six vulnerabilities in rsync, a widely used file synchronization tool. The most severe, CVE-2024-12084, is a buffer overflow flaw in the rsync daemon that, when combined with CVE-2024-12085, could lead to remote code execution, lateral movement in the network, and even full system compromise.
According to the official analysis by Coalition, more than 660,000 rsync installations are currently exposed to the internet, making this a highly attractive target for many threat actors. Coalition’s Exploit Scoring System gave these vulnerabilities a score of 67.58%, a rating that represents a significant threat for exploitability.
These flaws serve as a stark reminder of the persistent dangers of unpatched software in widely used, foundational tools that organizations rely on each and every day.
rsync’s Critical Role and its Newfound Security Risks
The rsync tool is an open-source file synchronization utility that has existed since the 1990s. It is typically found on Unix-like operating systems and is primarily used for system backup and restoration operations.
Many backup programs, including Rclone, DeltaCopy, and ChronoSync, use rsync as backend software to facilitate backup and disaster recovery processes and maintain updated copies of critical business data. Individual users also utilize the tool in similar ways; for example, rsync plays an important role in synchronizing files across personal devices or sending data to remote storage for data redundancy.
Since rsync was designed for remote use, it is now vulnerable to exploitation by a high number of outside threat actors. It is possible that an attacker could target this vulnerability to gain initial access to a company’s systems and then execute more malicious acts, such as installing malware that could delete or exfiltrate sensitive data or disrupt vital backup operations.
While the Coalition Exploit Scoring System rated the exploit possibility as high (67.58%), it gave the rsync vulnerability a low usage score of 35.12%. This represents the organization’s view that it is likely that an official exploit will be available in the near future, yet it’s less likely that it will be fully weaponized.
However, as awareness of this vulnerability grows, the risk of exploitation may increase – especially if proof-of-concept code becomes available or if cybercriminals can identify vulnerable, unpatched systems to target.
Breaking Down the Vulnerabilities
The research team discovered six different vulnerabilities in the rsync tool. As described earlier, the CVE-2024-12084 flaw stood out as the most critical. It received a CVSS score of 9.8, representing a severe security risk due to the potential for remote code execution.
This flaw is a buffer overflow vulnerability within the rsync daemon when running in daemon mode, which generally occurs in remote synchronization processes. This occurs due to inadequate bounds checking in how rsync processes incoming data. A malicious input could overcome this weakness, enabling cyber attackers to overwrite memory, execute arbitrary code, and potentially seize full control over the affected system.
Given rsync’s popularity and widespread adoption in enterprise environments, cloud services, and IT infrastructure, the impact of such an exploit could be far-reaching – and devastating.
How Should Businesses Address rsync Vulnerabilities?
Coalition and other experts recommend that organizations should address the vulnerabilities posed by all CVEs by updating to rsync version 3.4.0 or higher.
Santiago Pontiroli, Lead Security Researcher at Acronis Threat Research Unit, agreed with this recommendation. “While some of the vulnerabilities disclosed only affect a limited number of rsync versions, it is strongly advised to update to the latest version, 3.4.1.”
Pontiroli also emphasized the broader security risks posed by the flaws while outlining additional mitigation strategies. “Even if there is no evidence of these vulnerabilities being exploited in the wild, the potential for remote code execution poses a significant risk,” he said. “This is especially true for those running the daemon’s default configuration since it doesn’t require authentication. File sharing and mirroring hosts that allow anonymous read access are at risk since no current mitigations are available other than updating to the latest version or filtering connections at the firewall level.”
Organizations using rsync should also limit network exposure of rsync services to further reduce their total attack surface. For example, they can limit or restrict access to TCP port 873 to make sure their servers are not remotely accessible.
Final Thoughts: Addressing rsync’s Vulnerabilities and Staying Ahead of Cyber Risks
The discovery of these six critical vulnerabilities in rsync, particularly CVE-2024-12084, underscores the need for immediate action. With more than 660,000 exposed installations and a high exploitability score, unpatched systems are now a prime target for cybercriminals. While there is no known exploitation yet, history shows that vulnerabilities of this scale can quickly become attack vectors.
Security teams must stay proactive with patch management and other cybersecurity best practices to protect critical infrastructure against rsync vulnerabilities and future cyber threats.
