From 691699378e1b4e6df33784bad1dc172e7180f026 Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Fri, 17 Jan 2025 11:47:35 -0600 Subject: [PATCH] Update content/blog/2025-01-17-rsync-vulnerabilities.md Co-authored-by: benny Vasquez --- content/blog/2025-01-17-rsync-vulnerabilities.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/blog/2025-01-17-rsync-vulnerabilities.md b/content/blog/2025-01-17-rsync-vulnerabilities.md index a24174ce..2dbc9b77 100644 --- a/content/blog/2025-01-17-rsync-vulnerabilities.md +++ b/content/blog/2025-01-17-rsync-vulnerabilities.md @@ -10,7 +10,10 @@ post: title: "Multiple rsync Vulnerabilities Discovered - Mitigation Status" image: /blog-images/2025/2025-01-17-rsync-vulnerabilities.png --- -Security researchers at Google, namely Pedro Gallegos, Simon Scannell, and Jasiel Spelman, identified vulnerabilities in both the rsync server and client. The server vulnerabilities ([CVE-2024-12084](https://access.redhat.com/security/cve/CVE-2024-12084) and [CVE-2024-12085](https://access.redhat.com/security/cve/CVE-2024-12085)) can lead to remote code execution (RCE). On the client side, vulnerabilities allow a malicious server to read arbitrary files ([CVE-2024-12086](https://access.redhat.com/security/cve/CVE-2024-12086)), create unsafe symlinks ([CVE-2024-12087](https://access.redhat.com/security/cve/CVE-2024-12087)), and, under certain conditions, overwrite arbitrary files ([CVE-2024-12088](https://access.redhat.com/security/cve/CVE-2024-12088)). Additionally, during the coordinated response to these issues, Aleksei Gorban reported a sixth vulnerability ([CVE-2024-12747](https://access.redhat.com/security/cve/CVE-2024-12747)) related to how the rsync server manages symlinks. +Security researchers at Google, namely Pedro Gallegos, Simon Scannell, and Jasiel Spelman, identified vulnerabilities in both the rsync server and client. These vulnerabilities range from extremely concerning to just annoying, and are at different stages of being patched. This blog post will be updated as patches are released by us. + +## The Announcement +The server vulnerabilities ([CVE-2024-12084](https://access.redhat.com/security/cve/CVE-2024-12084) and [CVE-2024-12085](https://access.redhat.com/security/cve/CVE-2024-12085)) can lead to remote code execution (RCE). On the client side, vulnerabilities allow a malicious server to read arbitrary files ([CVE-2024-12086](https://access.redhat.com/security/cve/CVE-2024-12086)), create unsafe symlinks ([CVE-2024-12087](https://access.redhat.com/security/cve/CVE-2024-12087)), and, under certain conditions, overwrite arbitrary files ([CVE-2024-12088](https://access.redhat.com/security/cve/CVE-2024-12088)). Additionally, during the coordinated response to these issues, Aleksei Gorban reported a sixth vulnerability ([CVE-2024-12747](https://access.redhat.com/security/cve/CVE-2024-12747)) related to how the rsync server manages symlinks. These vulnerabilities were responsibly disclosed to us through the CERT/CC Vulnerability Notes Database, ahead of the [public disclosure](https://www.kb.cert.org/vuls/id/952657) on January 14, 2025.