CVE-2024-12084 - Vulnerability Details - OpenCVE

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://kb.cert.org/vuls/id/952657
https://nvd.nist.gov/vuln/detail/CVE-2024-12084
https://www.cve.org/CVERecord?id=CVE-2024-12084

History

Wed, 15 Jan 2025 02:00:00 +0000

Type	Values Removed	Values Added
Description		A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.
Title		rsync: Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling
Weaknesses		CWE-122
References		https://kb.cert.org/vuls/id/952657 https://nvd.nist.gov/vuln/detail/CVE-2024-12084 https://www.cve.org/CVERecord?id=CVE-2024-12084
Metrics	threat_severity `None`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Critical`

MITRE

No data.

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Critical

Publid Date: 2025-01-14T15:06:00Z

Links: CVE-2024-12084 - Bugzilla

{"acknowledgement": "Red Hat would like to thank Jasiel Spelman (Google), Pedro Gallegos (Google), and Simon Scannell (Google) for reporting this issue.", "bugzilla": {"description": "rsync: Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling", "id": "2330527", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330527"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-122", "details": ["A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-12084", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-01-14T15:06:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12084\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12084\nhttps://kb.cert.org/vuls/id/952657"], "statement": "Red Hat rates this flaw to have critical severity because it allows an attacker to exploit a heap-based buffer overflow by supplying a malicious s2length value during checksum parsing. The ability to write up to 48 bytes beyond the bounds of the sum2 buffer enables overwriting adjacent memory on the heap, which can lead to arbitrary code execution under specific heap conditions. Since rsync is often used in network-facing and automated environments, a remote attacker could craft a malicious protocol negotiation to trigger this vulnerability, potentially compromising the integrity, confidentiality, and availability of the system.\nKeep in mind that rsync's default rsyncd configuration allows anonymous file syncing, which is at risk of this vulnerability. Otherwise, an attacker will need valid credentials for servers which require authentication.\nThe combination of memory corruption, remote exploitation, and the potential for system takeover for a default configuration elevates this issue to critical severity.", "threat_severity": "Critical"}