CVE-2024-12088: Rsync '--safe-links' option fails to properly verify symbolic links, leading to path traversal vulnerability

A flaw has been recently discovered in the popular file synchronization utility, rsync, which poses a potential security risk. When using the --safe-links option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This can lead to a path traversal vulnerability that may result in arbitrary file writes outside the desired directory. In this post, we will discuss the details of this vulnerability, the affected versions of rsync, and how to mitigate the issue.

Vulnerability Details

Rsync is a widely used utility for synchronizing files and directories between two locations. This tool is designed to be fast and efficient, making it ideal for maintaining backups, or ensuring files up-to-date between different machines. However, this newly discovered vulnerability (CVE-2024-12088) demonstrates how the use of the --safe-links option can lead to unintended consequences.

When the --safe-links option is used, rsync is expected to only treat symbolic links as safe if they do not point outside the source directories. This is meant to prevent path traversal vulnerabilities that could allow an attacker to gain access to files outside the intended synchronization area.

Unfortunately, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This can lead to a path traversal vulnerability. Here's an example of how this vulnerability can be exploited:

Code Snippet

# Attacker creates a symbolic link in their directory
attacker$ ln -s /etc/shadow evil_sym_link

# Victim uses rsync with --safe-links option to copy attacker's directory
victim$ rsync -avz --safe-links attacker@remote_server:/path/to/attacker_dir /path/to/local_dir

In this scenario, the victim will end up unintentionally copying the contents of the /etc/shadow file to their local machine.

Affected Versions

It is currently believed that rsync versions 3.. and later are affected by this vulnerability. Check your rsync version with the following command:

$ rsync --version

Mitigation Steps

Until a patch is released to fix this vulnerability, users can mitigate the issue by taking one of the following actions:

For more information on this vulnerability, please see the following sources

- CVE-2024-12088
- Rsync Vulnerability Disclosure
- Rsync GitHub Repository

Conclusion

This rsync path traversal vulnerability (CVE-2024-12088) demonstrates the importance of continuously validating tools and all provided options for security issues. Although the underlying flaw may not affect all users, those who rely on the --safe-links option should take necessary precautions to prevent unauthorized file access and potential data breaches. As always, staying up to date with the latest software patches and security news will help reduce the risk of exposure to such vulnerabilities.

Timeline

Published on: 01/14/2025 18:15:25 UTC
Last modified on: 03/15/2025 00:15:03 UTC