CVE-2022-29154: Rsync client-side arbitrary file write vulnerability.

[EGE BALCI <ege () prodaft com>]

Date reported           : July 25, 2022
CVE identifiers         : CVE-2022-29154.
------------------------------------------------------------------------
Rsync client-side arbitrary file write vulnerability. (CVE-2022-29154)
------------------------------------------------------------------------

>>>> We have discovered a critical arbitrary file write vulnerability 
in the
>>>> rsync utility that allows malicious remote servers to write arbitrary
>>>> files inside the directories of connecting peers. The server chooses
>>>> which files/directories are sent to the client. Due to the 
insufficient
>>>> controls inside the
>>>> [do_server_recv](
>>> 
https://github.com/WayneD/rsync/blob/85c56b2603d97c225889175797ffff6745a4d305/main.c#L1118
>>> )
>>>> function, a malicious rysnc server (or Man-in-The-Middle attacker) can
>>>> overwrite arbitrary files in the rsync client target directory and
>>>> subdirectories. An attacker abusing this vulnerability can overwrite
>>>> critical files under the target rsync directory and subdirectories 
(for
>>>> example, to overwrite the .ssh/authorized_keys file). This issue 
is very
>>>> similar with the
>>>> [CVE-2019-6111](https://www.youtube.com/watch?v=fcesKgfSPq4).
>>>>
>>>> Best regards, Ege BALCI, Taha HAMAD.

The vulnerability was addressed with the developer of the rsync project 
and necessary patches are made. Related commit and details can be found 
in the following links,
- https://download.samba.org/pub/rsync/NEWS
- https://download.samba.org/pub/rsync/rsync.1#MULTI-HOST_SECURITY
- 
https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871

We recommend updating to the latest stable versions of rsync.

--
*Ege BALCI*
Threat Intelligence Team Lead

*PRODAFT Cyber Security Technologies INC.*
*CH:* Y-Parc, rue Galilée 7, 1400 Yverdon-les-Bains, Switzerland
*NL:* Wilhelmina van Pruisenweg 104, 2595 AN Den Haag, Netherlands
*E.:*ege[at]prodaft.com
*IN:*/egebalci

In case you think you’re not the designated recipient of the e-mail 
hereby; please delete it accordingly. *This e-mail may have been sent 
from a mobile device. Please contact me from my mobile, in case you 
notice an error in the content. PS. Feel free to contact me via Signal, 
Threema or Telegram; or ask for my public PGP key for high-profile cases 
that may require higher confidentiality.

Attachment: OpenPGP_0xCDCA0F4B4445AA39.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature