CVE-2024-12086: 
rsync vulnerability analysis and mitigation

A vulnerability (CVE-2024-12086) was discovered in rsync that could allow a malicious server to enumerate the contents of arbitrary files from a client's machine. The vulnerability was disclosed on January 14, 2025, affecting rsync versions 3.3.0 and below. This security flaw occurs during the file copying process from client to server (CERT VU, NVD).

The vulnerability manifests when files are being copied from a client to a server. During this process, the rsync server sends checksums of local data to the client for comparison to determine what data needs to be transferred. By sending specially constructed checksum values for arbitrary files, an attacker can reconstruct the data of those files byte-by-byte based on the responses from the client. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N (NVD).

The vulnerability allows a malicious server to extract sensitive data from client machines, potentially exposing confidential information. When exploited, attackers can read arbitrary files from connected clients, which could lead to the exposure of sensitive data such as SSH keys and other confidential information (CERT VU).

Organizations should upgrade to rsync version 3.4.0 or later, which addresses this vulnerability. If immediate patching is not possible, it is recommended to restrict rsync access and ensure instances are not exposed to the Internet. The default rsync port 873 should be blocked or restricted at the firewall or security group level to reduce the risk of exploitation (CERT VU).

Multiple Linux distributions and vendors have acknowledged the vulnerability and are actively working on updates. AlmaLinux, Red Hat, SUSE Linux, and other major distributions have confirmed they are affected by this vulnerability and are providing patches through their respective update channels (CERT VU).