CVE-2024-12747 Overview
A race condition vulnerability has been discovered in rsync, a widely-used file synchronization utility. This vulnerability arises during rsync's handling of symbolic links, where the default behavior is to skip symlinks during file transfers. However, a Time-of-Check Time-of-Use (TOCTOU) race condition allows an attacker to replace a regular file with a symbolic link at a precise moment, bypassing rsync's symlink protection mechanism and enabling symbolic link traversal.
Depending on the privileges of the rsync process, successful exploitation could allow an attacker to leak sensitive information from the system. This information disclosure could potentially be leveraged for further privilege escalation attacks.
Critical Impact
Exploitation of this race condition can bypass rsync's symbolic link handling, enabling unauthorized access to sensitive files and potential privilege escalation through information disclosure.
Affected Products
- rsync (all versions prior to patched releases)
- Red Hat Enterprise Linux (multiple versions)
- Debian Linux (LTS releases)
Discovery Timeline
- 2025-01-14 - CVE-2024-12747 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-12747
Vulnerability Analysis
This vulnerability is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), specifically a Time-of-Check Time-of-Use (TOCTOU) race condition. The flaw exists in how rsync checks whether a source path is a regular file versus a symbolic link.
The attack requires local access to the system where rsync operations are being performed. While exploitation requires precise timing to win the race condition, successful attacks can result in high confidentiality impact as the attacker may be able to read arbitrary files accessible to the rsync process.
The vulnerability affects scenarios where rsync is used with elevated privileges or in automated backup/synchronization contexts where the attacker can predict rsync operations.
Root Cause
The root cause is a lack of proper atomicity between checking a file's type and operating on that file during rsync's symbolic link handling logic. When rsync determines that a path points to a regular file, a small window exists before the file is accessed, during which an attacker can replace the file with a symbolic link pointing to a sensitive target file.
This TOCTOU vulnerability occurs because rsync does not maintain a consistent view of the filesystem between the symlink check and the subsequent file operation, allowing the attacker to manipulate the race window.
Attack Vector
The attack vector requires local access to the system. An attacker with the ability to write to directories being processed by rsync can:
- Create a regular file in a location being synchronized by rsync
- Monitor for rsync operations or trigger them through other means
- At the precise moment after rsync checks the file type but before it reads the file, replace the regular file with a symbolic link pointing to a sensitive target
- rsync then follows the symlink, reading the sensitive file content instead
The exploitation is made more difficult by the timing precision required, but automated exploitation attempts could increase success rates through repeated attempts. The attack is most effective when rsync runs with elevated privileges or when the attacker can predict synchronization schedules.
Detection Methods for CVE-2024-12747
Indicators of Compromise
- Unexpected symbolic links appearing in directories typically processed by rsync
- Rapid file type changes (regular file to symlink) in rsync-monitored directories
- Unusual file access patterns where rsync reads files outside expected directories
- Log entries showing rsync accessing sensitive system files unexpectedly
Detection Strategies
- Monitor filesystem events for rapid file deletion and symlink creation in rsync working directories
- Implement file integrity monitoring on sensitive files to detect unexpected access patterns
- Review rsync logs for unexpected file paths or permission denied errors on sensitive files
- Use security information and event management (SIEM) rules to correlate rsync execution with suspicious filesystem activity
Monitoring Recommendations
- Enable detailed logging for rsync operations including file paths accessed
- Implement auditd rules to monitor symlink creation in directories used by rsync
- Configure endpoint detection to alert on rapid file type modifications
- Monitor for privilege escalation attempts following rsync synchronization events
How to Mitigate CVE-2024-12747
Immediate Actions Required
- Update rsync to the latest patched version from your distribution vendor
- Restrict write access to directories being processed by rsync to trusted users only
- Avoid running rsync with elevated privileges unless absolutely necessary
- Review rsync configurations and remove unnecessary synchronization paths
Patch Information
Multiple Linux distributions have released patches for this vulnerability. Administrators should apply updates from their respective vendors:
- Red Hat Security Advisory RHSA-2025:2600
- Red Hat Security Advisory RHSA-2025:7050
- Red Hat Security Advisory RHSA-2025:8385
- Debian LTS Announcement January 2025
- NetApp Security Advisory NTAP-20250131-0002
For additional technical details, consult the Red Hat CVE Report CVE-2024-12747 and CERT Vulnerability Advisory #952657.
Workarounds
- Run rsync with the --no-links option to completely skip symbolic link processing
- Use rsync's --copy-unsafe-links option to copy the target of symbolic links rather than the links themselves
- Implement directory permissions that prevent untrusted users from creating files in synchronized directories
- Consider using chroot environments or containerization to limit the scope of potential symlink traversal attacks
# Example mitigation configuration
# Run rsync with symlink protection options
rsync -av --no-links /source/ /destination/
# Alternatively, copy link targets instead of links
rsync -av --copy-unsafe-links /source/ /destination/
# Restrict directory permissions to trusted users
chmod 755 /rsync-working-directory
chown root:rsync-group /rsync-working-directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
