__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN rsync Heap Overflow Vulnerability [rsync 2.5.6 Security Advisory] December 4, 2003 21:00 GMT Number O-034 [REVISED 10 Dec 2003] [REVISED 11 Dec 2003] ______________________________________________________________________________ PROBLEM: A heap overflow vulnerability has been identified in the rsync open source utility which is a fast remote file copy program. This vulnerability was recently used in conjunction with the vulnerability in the Linux do_brk function (see CIAC Bulletin O-031) to compromise an rsync public server. SOFTWARE: rsync versions 2.5.6 and earlier DAMAGE: The rsync heap overflow vulnerability can allow attackers to remotely run arbitrary code, but can not be used by itself to gain root access on an rsync server. However, the use of this in conjunction with the recently announced do_brk function vulnerability (see CIAC Bulletin O-031) can allow an attacker to gain root access on a system. SOLUTION: Update to rsync version 2.5.7. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. When exploited by itself, this ASSESSMENT: vulnerability does not allow an attacker to gain root access; only to run arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-034.shtml ORIGINAL BULLETIN: http://samba.anu.edu.au/rsync/ ADDITIONAL LINKS: * DEBIAN Linux - Security Advisory DSA 404-1 http://www.debian.org/security/2003/dsa-404 * RED HAT Linux - RHSA-2003:398-07 https://rhn.redhat.com/errata/RHSA-2003-398.html * RED HAT Enterprise Linux - RHSA-2003:399-06 https://rhn.redhat.com/errata/RHSA-2003-399.html * SGI - Security Advisory 20031202-01-U (has patches) ftp://patches.sgi.com/support/free/security/advisories/ 20031202-01-U.asc * Symantec Advisory http://securityresponse.symantec.com/avcenter/security/ Content/9153.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0962 ______________________________________________________________________________ REVISION HISTORY: 12/10/03 - added information about SGI Security Advisory in the Additional Links section. 12/11/03 - Added a link to Symantec's advisory. This contains consolidated fix/patch information for various operating system vendors along with some other recommendations. [***** Start rsync 2.5.6 Security Advisory *****] rsync 2.5.6 security advisory December 4th 2003 Background The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date. Our conclusions are that: - rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can be used to remotely run arbitrary code. - While this heap overflow vulnerability could not be used by itself to obtain root access on a rsync server, it could be used in combination with the recently announced brk vulnerability in the Linux kernel to produce a full remote compromise. - The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult. Please note that this vulnerability only affects the use of rsync as a "rsync server". To see if you are running a rsync server you should use the netstat command to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running a rsync server. New rsync release In response we have released a new version of rsync, version 2.5.7. This is based on the current stable 2.5.6 release with only the changes necessary to prevent this heap overflow vulnerability. There are no new features in this release. We recommend that anyone running a rsync server take the following steps: 1. Update to rsync version 2.5.7 immediately. 2. If you are running a Linux kernel prior to version 2.4.23 then you should upgrade your kernel immediately. Note that some distribution vendors may have patched versions of the 2.4.x series kernel that fix the brk vulnerability in versions before 2.4.23. Check with your vendor security site to ensure that you are not vulnerable to the brk problem. 3. Review your /etc/rsyncd.conf configuration file. If you are using the option "use chroot = no" then remove that line or change it to "use chroot = yes". If you find that you need that option for your rsync service then you should disable your rsync service until you have discussed a workaround with the rsync maintainers on the rsync mailing list. The disabling of the chroot option should not be needed for any normal rsync server. The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites. We expect that vendors will produce updated packages for their distributions shortly. Credits The rsync team would like to thank the following individuals for their assistance in investigating this vulnerability and producing this response: Timo Sirainen Mike Warfield Paul Russell Andrea Barisani The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue. Regards, The rsync team [***** End rsync 2.5.6 Security Advisory *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of rsync Samba Organization for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-024: Microsoft Buffer Overrun in Microsoft FrontPage O-025: ISS PeopleSoft IClient Servlet Remote Command Execution Vulnerability O-026: Red Hat Updated PostgreSQL Packages Fix BUffer Overflow O-027: Red Hat Updated XFree86 Packages Provide Security and Bug Fixes O-028: Hewlett Packard dtmailpr O-029: un Security Vulnerability on Sun Systems with a PGX32 Frame Buffer O-030: Hewlett Packard VirtualVault OpenSSH Vulnerabilities O-031: Red Hat Updated 2.4 Kernel Fixes Privilege Escalation Security Vulnerability O-032: HP shar(1) Utility Vulnerability O-033: Sun Xsun Server in Direct Graphics Access (DGA) Vulnerabilities