CVE-2025-67901
Segmentation Fault Vulnerability in openrsync Server via Zero-Length Block Data
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbsd | openrsync | * |
| openbsd | openrsync | 0.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in openrsync (through version 0.5.0) allows a remote attacker to cause a server or client crash (SIGSEGV) by sending specially crafted block metadata with a zero length for block data. The issue arises because the code does not properly check the relationship between the remaining data size (p->rem) and the length (p->len). When p->len is zero, the validation is bypassed, allowing p->rem to be set to an arbitrarily large value. This leads to an out-of-bounds read from a small memory-mapped buffer, causing a segmentation fault and denial of service. Both malicious clients and servers can exploit this flaw to crash the other party during rsync operations. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a remote attacker to cause a denial of service (DoS) on your OpenRsync server or client. The attacker can crash the application by sending crafted block metadata that triggers a segmentation fault, resulting in service interruption. This could lead to downtime, loss of availability, and potential disruption of file synchronization services relying on OpenRsync. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes (SIGSEGV) in the OpenRsync server or client processes, especially when handling rsync protocol version 27 connections. Detection can involve checking logs for segmentation faults or abnormal termination of OpenRsync processes. Additionally, network traffic analysis could look for rsync sessions where block metadata contains suspicious values such as block size (blksz) of 1, length (len) of 0, and a very large rem value (e.g., 0x40000000). However, no specific detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating OpenRsync to a version that includes the suggested fix, which adds validation to ensure the block size is neither zero nor larger than the mapped buffer size. If an update is not immediately available, consider restricting or monitoring rsync protocol version 27 traffic, and limiting access to OpenRsync servers to trusted clients to reduce exposure. Applying patches that add checks such as verifying that the block size (sz) is valid before processing can prevent exploitation. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows remote attackers to cause a denial of service (DoS) by crashing the OpenRsync server or client through crafted block metadata. While it does not directly lead to data disclosure or integrity loss, the resulting service disruption could impact availability requirements under standards like GDPR and HIPAA. Therefore, organizations relying on OpenRsync for data transfer should consider this vulnerability as a risk to system availability, which is a component of compliance with such regulations. [2]