CVE-2024-12747: 
rsync vulnerability analysis and mitigation

A race condition vulnerability (CVE-2024-12747) was discovered in rsync, affecting versions up to 3.3.0. The vulnerability was disclosed on January 14, 2025, and was discovered by Aleksei Gorban. The flaw exists in rsync's handling of symbolic links, where rsync's default behavior is to skip symbolic links during file synchronization operations (NVD, Ubuntu Blog).

The vulnerability arises from a race condition during rsync's handling of symbolic links. When an attacker replaces a regular file with a symbolic link at precisely the right moment, they can bypass rsync's default behavior of skipping symbolic links. The vulnerability has been assigned a CVSS v3.1 base score of 5.6 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating local access required, high attack complexity, and potential for high confidentiality impact (NVD).

The exploitation of this vulnerability could lead to privilege escalation and information disclosure. Depending on the privileges of the rsync process, an attacker could potentially access sensitive information by exploiting the symbolic link race condition. This is particularly concerning in scenarios where rsync runs with elevated privileges, as it could allow unprivileged users to access sensitive files (NVD, CERT VU).

Users are advised to update to rsync version 3.4.0 or later, which contains fixes for this vulnerability. System administrators should ensure that all instances of rsync in their environment are updated to the patched version. For systems that cannot be immediately updated, administrators should carefully review and restrict rsync privileges and access (CERT VU).

Multiple Linux distributions and vendors have acknowledged the vulnerability and are working on providing updates. AlmaLinux, Red Hat, SUSE Linux, and other major distributions have confirmed they are affected by this vulnerability and are releasing patches (CERT VU).