rsync fails to properly handle negative values specified for signed integers thereby allowing remote command execution

2002-09-16T00:00:00
ID VU:800635
Type cert
Reporter CERT
Modified 2002-09-16T21:26:00

Description

Overview

There exist several signed-integer vulnerabilities in rsync. If rsync is run as a daemon, a remote-root compromise may be possible.

Description

Included in most distributions of Linux, rsync is a popular tool for synchronizing files across multiple hosts. Though not enabled in the default configuration, rsync can be run as a daemon to facilitate the distribution of files to FTP mirror sites.

Researchers have found several vulnerabilities in rsync, resulting from the use of signed integer variables. If rsync receives negative integers where it expects positive integers, it can forced to overwrite arbitrary bytes of the stack with zeroes (null-bytes).


Impact

The rsync process can be used to exploited to execute arbitrary code. If rsync is run as a daemon, a remote attacker can execute arbitrary code as the owner of the rsync process, generally root.


Solution

Apply a patch from your vendor.


Use the "chroot" option in the rsync config file to limit rsync's access to the filesystem.


Vendor Information

800635

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera Affected

Notified: January 29, 2002 Updated: September 14, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva __ Affected

Updated: June 06, 2002

Status

Affected

Vendor Statement

"[The vulnerability] exists in our supported products: CL 5.0 through CL 7.0. It has been corrected. New packages are available at our ftp server and mirrors:

<ftp://atualizacoes.conectiva.com.br/><version>/RPMS

"Announcement CLSA-2002:458 for this vulnerability is available."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Conectiva Announcement CLSA-2002:458 at

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000458&idioma=en

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified: January 29, 2002 Updated: June 06, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital __ Affected

Updated: September 16, 2002

Status

Affected

Vendor Statement

"Users of EnGarde 1.0.1 should read advisory ESA-20020125-004 "rsync --
signed integer handling vulnerability" released on January 25, 2002:

<http://www.linuxsecurity.com/advisories/other_advisory-1853.html>

Users of EnGarde Secure Professional can obtain updates via the Guardian
Digital Secure Network."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Affected

Notified: January 29, 2002 Updated: June 06, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft __ Affected

Notified: January 29, 2002 Updated: June 06, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See MandrakeSoft's rsync advisory at

<http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-009.php>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM-zSeries Unknown

Notified: January 29, 2002 Updated: June 06, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Notified: January 29, 2002 Updated: June 06, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

Acknowledgements

Thanks to Conectiva for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: | CVE-2002-0048
---|---
Severity Metric: | 15.26
Date Public: | 2002-01-25
Date First Published: | 2002-09-16
Date Last Updated: | 2002-09-16 21:26 UTC
Document Revision: | 11