Rsync Under Attack: New Buffer Overflow Flaws Could Leak Server Data

About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Rsync, the popular file synchronization tool developed by Samba.org, has been hit by two high-severity security flaws affecting its server-side daemon rsyncd. These flaws—CVE-2024-12084 and CVE-2024-12085—were disclosed on January 14, 2025, and could allow attackers to gain unauthorized access and execute arbitrary operations on vulnerable servers.

If you're running Rsync in any production or mirror-distribution setup, read on and patch now.

What's the Risk?

These vulnerabilities are triggered during checksum comparison, where rsyncd mishandles a user-supplied checksum length. This flaw leads to either:

• A buffer overflow, or
• An information leak via uninitialized memory reads

What makes these bugs dangerous is that:

• They are pre-auth — no credentials needed
• The default configuration is vulnerable (anonymous access allowed)
• Exploits can be launched remotely over the network (port 873/TCP)

While no in-the-wild exploitation or public PoC has been reported (yet), the impact is serious: attackers could overwrite or read arbitrary files, extract sensitive memory content, tamper with sync configurations, or implant backdoors.

Affected Versions

• CVE-2024-12084: Affects 3.2.7 < Rsync < 3.4.0
• CVE-2024-12085: Affects all Rsync < 3.4.0

Safe versions:

Upgrade to Rsync 3.4.0 or later

You can check your current version with:

rsync --version

Mitigation and Fix

Official Patch (Recommended)

Rsync 3.4.0 fixes both vulnerabilities. Download the latest version here:

👉 https://rsync.samba.org/download.html

Temporary Workarounds

If you can’t patch right away, apply these steps:

1. Disable Anonymous Access Edit your rsyncd.conf to enforce user authentication:

   auth users = yourusername
   secrets file = /etc/rsyncd.secrets

And define username/password pairs in /etc/rsyncd.secrets.

1. Restrict Network Access
   Use firewalls or ACLs to block port 873/TCP from untrusted IPs. Only expose Rsync to trusted internal networks.

2. Avoid Exposing Rsync Directly
   Prefer syncing over SSH or VPN tunnels instead of exposing the Rsync daemon to the public internet.

3. Regular Security Hygiene

   • Audit Rsync usage and configurations regularly
   • Back up critical Rsync data
   • Monitor logs for suspicious access
   • Apply patches as soon as they're released

Timeline

• Jan 14, 2025 — Vulnerabilities publicly disclosed
• Jan 17, 2025 — Emergency advisory issued by local CERT teams and vendors

References

• Rsync Official Changelog
• OSS-Security Mailing List Disclosure

Protect your infrastructure proactively. If you're managing public-facing file servers or mirroring systems, update Rsync and lock down configurations before attackers find you first.

Join the SafeLine Community

• GitHub Repository
• Official Docs
• Discord Community