Updated:
Status:
CVEs:
Fortra is actively researching multiple vulnerabilities impacting rsync: CVE-2024-12084: CVSS 3.1: 9.8, CVE-2024-12085: CVSS 3.1: 7.5, CVE-2024-12086: CVSS 3.1: 6.1, CVE-2024-12087: CVSS 3.1: 6.5, CVE-2024-12088: CVSS 3.1: 6.5, CVE-2024-12747: CVSS 3.1: 5.6.
Of the six vulnerabilities disclosed in rsync, CVE-2024-12084 is the most critical CVSS Score of 9.8, it is a heap buffer overflow that could allow anyone with anonymous read access to execute code on vulnerable systems. There are more than 600000 servers exposed to the internet could present this potential vulnerability.
The most critical of these six vulnerabilities, CVE-2024-12084, is a heap buffer overflow allowing anyone with anonymous read access to execute code on vulnerable systems. The five remaining vulnerabilities include a single byte leak of uninitialized stack data (CVE-2024-12085), client file leakage (CVE-2024-12086), two path traversals (CVE-2024-12087 and CVE-2024-12088), and a race condition that could lead to privilege escalation (CVE-2024-12747).
Who is affected?
The following products are affected by these vulnerabilities.
CVE-2024-12084
- rsync >= 3.27 and < 3.4.0
CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747
- rsync < 3.4.0
What can I do?
Customers should upgrade to rsync 3.4.0 as soon as possible.
For additional information about these vulnerabilities, planned patches, and vendor recommendations, refer to the Security Bulletin and Vendor page.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below:
- Log Management: Alert Logic deployed log research telemetry for anonymous rsync usage on January 15th.
- Alert Logic Vulnerability Scanning: Alert Logic released network authenticated scan coverage for Ubuntu, Alma Linux, Amazon Linux, and Red Hat Enterprise Linux (RHEL) on January 17th.
- FortraVM: Fortra has completed local coverage via package detection on February 12, 2025.
- Tripwire IP360: Tripwire released scan coverage on January 14, 2025, to identify vulnerable instances. The following table identifies matching vulnerabilities.
| CVE | Tripwire IP360 Vulnerabilities |
| CVE-2024-12084 | 694409, 694714, 694767, 694837, or 694927 |
| CVE-2024-12085 | 694365, 694366, 694386, 694392, 694402, 694408, 694429, 694692, 694697, 694713, 694766, 694772, 694836, 694926, 694970, or 694973 |
| CVE-2024-12086 | 694401, 694407, 694428, 694691, 694696, 694712, 694765, 694771, 694835, 694925, or 694969 |
| CVE-2024-12087 | 694400, 694406, 694427, 694690, 694695, 694711, 694764, 694770, 694834, 694924, or 694968 |
| CVE-2024-12088 | 694404, 694410, 694431, 694694, 694699, 694715, 694768, 694774, 694838, 694928, or 694972 |
| CVE-2024-12747 | 694403, 694411, 694430, 694693, 694698, 694716, 694769, 694773, 694839, 694929, or 694971 |
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. We will update this article with new information about this vulnerability and related security coverage as it becomes available.
1/14/2024: Tripwire released Tripwire IP360 scan coverage to identify vulnerable instances related to CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747.
1/15/2025: Alert Logic shipped log research telemetry for anonymous rsync usage.
1/17/2025: Alert Logic released network authenticated scan coverage for Ubuntu, Alma Linux, Amazon Linux, and Red Hat Enterprise Linux (RHEL).
2/12/2025: Fortra has completed local coverage via package detection.
