CVE-2024-12087 Overview
A path traversal vulnerability exists in rsync that allows a malicious server to write files outside of the client's intended destination directory. The flaw stems from behavior enabled by the --inc-recursive option, which is enabled by default for many client options and can be enabled by the server even if not explicitly enabled by the client. When using this option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis allows an attacker to write malicious files to arbitrary locations named after valid directories/paths on the client.
Critical Impact
A malicious rsync server can exploit this vulnerability to write arbitrary files to locations outside the intended sync destination, potentially leading to configuration tampering, malware deployment, or system compromise.
Affected Products
- Samba rsync (all versions prior to patch)
- Red Hat Enterprise Linux 8.0, 9.0 and EUS versions
- AlmaLinux 8.0, 9.0, 10.0
- Arch Linux
- Gentoo Linux
- NixOS
- SUSE Linux
- Triton DataCenter SmartOS
Discovery Timeline
- January 14, 2025 - CVE-2024-12087 published to NVD
- December 22, 2025 - Last updated in NVD database
Technical Details for CVE-2024-12087
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects rsync's incremental recursive file synchronization functionality. The core issue lies in how rsync handles symlink verification when operating in incremental recursive mode. The --inc-recursive option processes files in batches using file lists, and the deduplication checks performed during this process occur on a per-file-list basis rather than globally. This creates a window where a malicious server can manipulate the synchronization process to bypass path restrictions.
When a client connects to a malicious rsync server, the server can craft responses that exploit the gap between symlink verification and deduplication checks. By carefully timing the introduction of symlinks and target files across different file lists, the server can trick the client into following symlinks that point outside the designated destination directory, ultimately writing attacker-controlled content to arbitrary filesystem locations.
Root Cause
The root cause is insufficient validation of file paths during incremental recursive synchronization operations. The vulnerability manifests because:
- Symlink verification does not adequately account for paths that may have been validated in previous file lists
- Deduplication checks operate within the scope of individual file lists rather than maintaining global state
- The --inc-recursive option can be server-enabled, removing client control over whether this vulnerable code path is exercised
- Path canonicalization and boundary enforcement fail to prevent traversal when symlinks span multiple file list batches
Attack Vector
The attack requires a client to connect to a malicious rsync server. The server exploits the vulnerability through network-based interaction during synchronization operations. Since this is a server-to-client attack, any system using rsync to pull data from untrusted or compromised servers is at risk.
The attack flow involves the malicious server sending crafted file list data that manipulates the incremental recursive processing. By strategically placing symlinks and regular files across file list boundaries, the attacker causes the client to write files to unintended locations. The attacker can target sensitive system directories such as /etc, user home directories, or application configuration paths.
Detection Methods for CVE-2024-12087
Indicators of Compromise
- Unexpected files appearing outside designated rsync destination directories
- Symlinks created in sync destinations pointing to sensitive system paths like /etc, /root, or /home
- Rsync log entries showing path traversal sequences (../) in transferred file names
- Modified system configuration files correlating with rsync synchronization timestamps
Detection Strategies
- Monitor rsync process activity for file writes outside expected destination paths using file integrity monitoring solutions
- Implement audit rules to track symlink creation and file modifications during rsync operations
- Deploy endpoint detection and response (EDR) solutions capable of identifying anomalous file system activity patterns
- Review rsync logs for suspicious file path patterns, particularly those containing relative path components
Monitoring Recommendations
- Enable verbose rsync logging with the -v or --log-file options to capture detailed transfer information
- Implement real-time file integrity monitoring on critical system directories
- Configure alerts for rsync processes writing to unexpected filesystem locations
- Monitor network connections to identify rsync traffic with untrusted or suspicious remote servers
How to Mitigate CVE-2024-12087
Immediate Actions Required
- Update rsync to the latest patched version available from your distribution's package repository
- Audit all rsync configurations to identify connections to external or untrusted servers
- Disable the --inc-recursive option explicitly using --no-inc-recursive when connecting to servers that don't require incremental recursion
- Implement network segmentation to restrict rsync traffic to trusted internal servers only
Patch Information
Security patches have been released by multiple vendors. Consult the following advisories for version-specific patch information:
- Red Hat Security Advisory RHSA-2025:2600 - Red Hat Enterprise Linux patches
- CERT Vulnerability Note #952657 - Coordination center advisory
- Debian LTS Security Announcement - Debian package updates
- NetApp Security Advisory NTAP-20250131-0002 - NetApp product updates
- GitHub Security Advisory GHSA-p5pg-x43v-mvqj - Technical details from Google Security Research
Workarounds
- Use the --no-inc-recursive flag explicitly when invoking rsync to disable incremental recursive mode
- Employ chroot environments or containerization to isolate rsync processes and limit filesystem access
- Configure rsync daemon (rsyncd) with strict path and read only directives to limit server-side exposure
- Use --safe-links option to ignore symlinks that point outside the destination tree
# Safe rsync configuration example
# Explicitly disable incremental recursion and enable safe link handling
rsync -avz --no-inc-recursive --safe-links user@trusted-server:/source/ /destination/
# For rsyncd.conf, restrict paths and enforce read-only where possible
# [backup]
# path = /srv/backup
# read only = yes
# refuse options = inc-recursive
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
