1. /
  2. Security Response/
  3. RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerability

RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerability

Risk

High

Date Discovered

December 4, 2003

Description

rsync has been reported prone to an undisclosed heap overflow vulnerability when running in daemon mode. The issue has been reported to be remotely exploitable and will provide for an execution of arbitrary code.

Technologies Affected

  • Apple Mac OS X 10.2.8
  • Apple Mac OS X 10.3.2
  • Apple Mac OS X Server 10.2.8
  • Apple Mac OS X Server 10.3.2
  • EnGarde Secure Community 1.0.1
  • EnGarde Secure Community 2.0.0
  • EnGarde Secure Professional 1.1.0
  • EnGarde Secure Professional 1.2.0
  • EnGarde Secure Professional 1.5.0
  • RedHat Fedora Core1
  • RedHat rsync-2.4.6-2.i386.rpm
  • RedHat rsync-2.4.6-5.i386.rpm
  • RedHat rsync-2.4.6-5.ia64.rpm
  • RedHat rsync-2.5.4-2.i386.rpm
  • RedHat rsync-2.5.5-1.i386.rpm
  • RedHat rsync-2.5.5-4.i386.rpm
  • SGI ProPack 2.3.0
  • Slackware Linux -current
  • Slackware Linux 8.1.0
  • Slackware Linux 9.0.0
  • Slackware Linux 9.1.0
  • Sun Cobalt Qube 3
  • Sun Cobalt RaQ 4
  • Sun Cobalt RaQ XTR
  • rsync rsync 2.3.1
  • rsync rsync 2.3.2
  • rsync rsync 2.4.0 .0
  • rsync rsync 2.4.1
  • rsync rsync 2.4.3
  • rsync rsync 2.4.4
  • rsync rsync 2.4.5
  • rsync rsync 2.4.6
  • rsync rsync 2.4.8
  • rsync rsync 2.5.0 .0
  • rsync rsync 2.5.1
  • rsync rsync 2.5.2
  • rsync rsync 2.5.3
  • rsync rsync 2.5.4
  • rsync rsync 2.5.5
  • rsync rsync 2.5.6

Recommendations

Block external access at the network boundary, unless external parties require service.

If applicable filter access to the affected service at the network perimeter. Allow access for trusted hosts and networks only.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Deploy network and host based intrusion detection systems. Flag on suspicious network/host activity to TCP port 873. Be especially vigilant in log file audits.

Run all software as a nonprivileged user with minimal access rights.

Running the daemon with least privileges possible in a chroot, jailed or otherwise restricted environment may help mitigate the impact of successful exploitation of this issue.

Implement multiple redundant layers of security.

An attackers ability to exploit this vulnerability, to execute arbitrary code, may be hindered through the use of various memory protection schemes. Where possible, implement the use of non-executable and randomly mapped memory segments.

Modify default configuration files to disable any unwanted behavior.

Using the option "use chroot = yes" in the rsyncd.conf configuration file may help magnify the complexity of exploitation of this issue.
Sun have released a fix to address this issue in the Sun Cobalt RaQ XTR. The fix is linked below. Sun have released fixes to address this issue in Sun Cobalt RaQ4 and Qube 3 products. Fixes are linked below. Immunix has released an advisory and fixes to address this issue. Mandrake has released an advisory that includes fixes to address this issue. Red Hat Linux has released an advisory (FEDORA-2003-030) and fixes to address this issue in Fedora Core 1. Affected users are advised to apply appropriate fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory. Red Hat Linux has released an advisory (RHSA-2003:399-06) to address this issue in Enterprise systems. Affected customers are advised to apply appropriate fixes from the Red Hat Network as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory. Red Hat Linux has released an advisory (RHSA-2003:398-01) and fixes to address this issue. Affected users are advised to apply appropriate fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory. Gentoo Linux has released an advisory (200312-03) to address this issue. Gentoo have advised that users upgrade to version 2.5.7 of rsync. Users can accomplish this by typing: emerge sync; emerge >=net-misc/rsync-2.5.7 EnGarde has released an advisory (ESA-20031204-032) with fixes to address this issue. Guardian Digital Secure Network subscribers may update affected packages using the WebTool. See referenced advisory for additional details. Slackware has released Slackware Linux Security Advisory SSA:2003-337-01 with fixes to address this issue. Advisory OpenPKG-SA-2003.051 has been released by The OpenPKG Project to address this issue. Debian has released advisory DSA 404-1 to address this issue. Trustix advisory #2003-0048 has been released with fixes for this issue. See references for additional details. SuSE Security Announcement SuSE-SA:2003:050 has been released with fixes for this issue. Conectiva has released an advisory and fixes to address this issue. OpenBSD has made a fixed version available. TurboLinux has released a security advisory to address this issue. Affected users are advised to execute the following commands: # turbopkg OR For zabom-1.x # zabom update rsync For zabom-2.x # zabom -u rsync Additional TurboLinux information is available in the referenced advisory. rsync version 2.5.7 has been released to resolve these issues. SGI has released a security advisory 20031202-01-U with fixes for SGI ProPack v2.3 for the Altix family of systems. Please see the referenced advisory for more information. Apple has released advisories to fix this issue in Apple Jaguar for Mac OS X 10.2.8 and Mac OS X Server 10.2.8 and Panther for Mac OS X 10.3.2 and Mac OS X Server 10.3.2. Please see referenced advisories for more details about obtaining fixes. SCO has released advisory CSSA-2004-010.0 dealing with this issue. For more information please see the referenced advisory.

Credits

Discovery credited to Timo Sirainen, Mike Warfield, Paul Russell, and Andrea Barisani.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver