CVE-2022-29154 Overview
CVE-2022-29154 is an improper input validation vulnerability discovered in rsync versions prior to 3.2.5. This security flaw allows malicious remote servers to write arbitrary files inside the directories of connecting clients. While the rsync protocol allows servers to specify which files and directories are transmitted to clients, the rsync client fails to perform adequate validation of received file names, enabling attackers to exploit this trust relationship.
Critical Impact
A malicious rsync server or Man-in-the-Middle attacker can overwrite arbitrary files in the rsync client's target directory and subdirectories, including sensitive files like .ssh/authorized_keys, potentially leading to complete system compromise.
Affected Products
- Samba rsync (versions before 3.2.5)
- Fedora 35
- Fedora 36
Discovery Timeline
- 2022-08-02 - CVE-2022-29154 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29154
Vulnerability Analysis
This vulnerability stems from a fundamental trust issue in the rsync client-server communication model. When an rsync client connects to a remote server, it expects the server to provide a list of files to synchronize. The server controls which files are sent, including their paths and names. However, the client's validation of these file names is insufficient, allowing a malicious server to send files with crafted names that escape the intended target directory.
The impact of this vulnerability is significant because rsync is widely used for backup operations, system synchronization, and automated deployment scripts. Many organizations rely on rsync for critical infrastructure tasks, often running with elevated privileges. A successful exploitation could allow attackers to overwrite system configuration files, inject malicious SSH keys for persistent access, or modify scripts that execute with elevated privileges.
Root Cause
The root cause of CVE-2022-29154 lies in CWE-20: Improper Input Validation. The rsync client does not properly sanitize or validate file paths received from the server before writing files to the local filesystem. This allows path components or specially crafted file names that could result in files being written to unintended locations within the client's accessible directory structure.
Attack Vector
The vulnerability is exploitable over the network, making it particularly dangerous in scenarios where:
- Compromised rsync servers - If an attacker gains control of an rsync server that clients trust, they can exploit any connecting client
- Man-in-the-Middle attacks - An attacker positioned between a legitimate rsync client and server can intercept and modify the file transfer, injecting malicious files
- Rogue rsync servers - Attackers can set up malicious rsync servers and trick users into connecting through social engineering or DNS hijacking
The attack does not require authentication and can be executed without user interaction once a client initiates a connection to a malicious or compromised server. A successful attack targeting the .ssh/authorized_keys file would grant the attacker persistent SSH access to the victim system.
Detection Methods for CVE-2022-29154
Indicators of Compromise
- Unexpected modifications to files in .ssh/ directories, particularly authorized_keys
- Anomalous files appearing in rsync target directories that were not part of the expected synchronization
- rsync client connections to unfamiliar or suspicious server IP addresses
- Unexpected changes to system configuration files or scripts in rsync-managed directories
Detection Strategies
- Monitor file system integrity in directories commonly used as rsync targets using file integrity monitoring (FIM) solutions
- Implement network traffic analysis to detect anomalous rsync protocol behavior or connections to unauthorized servers
- Review rsync logs for unusual file transfer patterns or unexpected path traversal indicators
- Deploy endpoint detection rules that alert on modifications to sensitive files like SSH authorized_keys after rsync operations
Monitoring Recommendations
- Enable verbose logging for rsync operations and centralize logs for analysis
- Configure alerts for rsync connections to IP addresses not on an approved whitelist
- Monitor for new SSH key additions or modifications across systems that use rsync for synchronization
- Implement behavioral analytics to baseline normal rsync file transfer patterns and flag deviations
How to Mitigate CVE-2022-29154
Immediate Actions Required
- Upgrade rsync to version 3.2.5 or later immediately on all affected systems
- Audit existing rsync configurations to identify connections to untrusted or external servers
- Review file integrity of rsync target directories for any signs of compromise
- Consider temporarily disabling automated rsync jobs connecting to external servers until patching is complete
Patch Information
The vulnerability has been fixed in rsync version 3.2.5. Users should upgrade to this version or later to mitigate the risk. Updated packages are available through the GitHub rsync Release Tags page. Fedora users can obtain patched versions through the Fedora package repositories as announced in the Fedora Package Announcements.
For additional details, refer to the OpenWall OSS-Security Mailing List disclosure.
Workarounds
- Use SSH tunneling for rsync connections to ensure server authenticity and prevent Man-in-the-Middle attacks
- Restrict rsync operations to connect only to known and trusted servers using firewall rules
- Run rsync with restricted permissions and avoid running as root when possible
- Implement strict file path whitelisting on the client side to limit which directories rsync can write to
# Example: Use SSH tunneling with host key verification for rsync
rsync -avz -e "ssh -o StrictHostKeyChecking=yes" user@trusted-server:/source/ /destination/
# Restrict rsync to specific directories with chroot-like behavior
rsync --safe-links --ignore-existing -avz server::module /restricted/target/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
