CVE-2022-29154: Rsync client-side arbitrary file write vulnerability

The developer of the rsync project has just released new versions of their software to patch a vulnerability (CVE-2022-29154) that could allow attackers to write arbitrary files inside the directories of connecting peers.

rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License and is currently being maintained by Wayne Davison.

Rsync developers informed users recently that all versions of Rsync prior to 3.2.5 was affected by the CVE-2022-29154 vulnerability.

“Due to the insufficient controls inside the [do_server_recv] function, a malicious rysnc server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories. An attacker abusing this vulnerability can overwrite critical files under the target rsync directory and subdirectories (for example, to overwrite the .ssh/authorized_keys file),” read the openwall website.

On August 1st, Rsync version 3.2.5pre1 added some file-list safety checking that helps to ensure that a rogue sending rsync can’t add unrequested top-level names and/or include recursive names that should have been excluded by the sender. These extra safety checks only require the receiver rsync to be updated. When dealing with an untrusted sending host, it is safest to copy into a dedicated destination directory for the remote content (i.e. don’t copy into a destination directory that contains files that aren’t from the remote host unless you trust the remote host).