Date: 05 December 2007
References: ESB-2011.0754
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2007.0116 AUSCERT Advisory
[UNIX/Linux]
Mulitple vulnerabilities in rsync
5 December 2007
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: rsync
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6200 CVE-2007-6199
Member content until: Monday, December 31 2007
Revision History: December 5 2007: Added CVE References
December 3 2007: Initial Release
OVERVIEW:
Multiple vulnerabilities have been reported in rsync, which allows
remote users to bypass certain security restrictions.
IMPACT:
The vendor has released the following information regarding these
vulnerabilities:
a) 'If you are running a writable rsync daemon with "use chroot =
no", there is at least one way for someone to trick rsync into
creating a symlink that points outside of the module's hierarchy.
This means that if you are allowing access from users who you
don't trust, that you should either figure out a way to turn on
"use chroot", or configure the daemon to refuse the --links
option (see "refuse options" in the rsyncd.conf manpage) which
will disable the ability of the rsync module to receive symlinks.
After doing so, you should also check that any existing symlinks
in the daemon hierarchy are safe.' [1]
b) 'If you are running a writable rsync daemon that is using one of
the "exclude", "exclude from", or "filter" options in the
rsyncd.conf file to hide data from your users, you should be aware
that there are tricks that a user can play with symlinks and/or
certain options that can allow a user that knows the name of a
hidden file to access it or overwrite it (if file permissions
allow that).' [1]
MITIGATION:
A patch to rectify these vulnerabilities is available for download
via the rsync website.[2]
Rsync also recommends that 'Any admin applying that patch should
read the "munge symlinks" section of the modified rsyncd.conf
manpage for more information.' [1]
REFERENCES:
[1] Rsync Security Advisories
http://samba.org/rsync/security.html
[2] Rsync
http://samba.org/rsync/download.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR1Xl7Sh9+71yA2DNAQL5dAP/U3AsxQHJ1m44y3T6WNdp4H7I6I49Upms
I2g8WRF9K1XNQdL0uHeZJjzEKGskyrjgyoMx40uFWRTdu9m6uJLmaxx7UmY2URyI
YZ+GngcY/NnnxXSTH7JWUyFdxkYeWzcsfAheDzQQeuIS/ULtSI7TPu04sTjz0CiI
badK8SEPFX0=
=JerY
-----END PGP SIGNATURE-----
|