Executive Summary

CVE-2026-43617 is an authorization bypass vulnerability in rsync versions 3.4.2 and earlier when the rsync daemon is configured with chroot and uses hostname-based access control lists (ACLs).

The vulnerability occurs because reverse DNS lookups are performed inside the chroot environment, which often lacks necessary files for DNS resolution. When the reverse DNS lookup fails, the hostname defaults to "UNKNOWN."

Attackers who control the PTR record for their source IP address can exploit this by causing their hostname to be resolved as "UNKNOWN," thereby bypassing hostname-based deny rules intended to block them.

This means that hostnames administrators intended to deny can be circumvented, allowing unauthorized connections.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-43617 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized users to bypass hostname-based access restrictions on rsync daemons configured with chroot.

Attackers can gain access from hostnames that were meant to be denied, potentially exposing sensitive files or data shared via rsync.

However, IP-based access control lists are not affected by this vulnerability, so relying on IP-based restrictions can mitigate the risk.

The impact depends on how critical the rsync service is and how strictly hostname-based ACLs are used for security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves bypassing hostname-based deny rules by manipulating the PTR record of the source IP address, which affects reverse DNS resolution when rsync is configured with chroot.

To detect this vulnerability on your system, you can check if your rsync daemon is running a version prior to 3.4.3 and if it is configured with chroot and hostname-based access control lists.

You can verify the rsync version with the command:

• rsync --version

To check if the rsync daemon is running with chroot and hostname-based ACLs, review the rsync daemon configuration file (usually /etc/rsyncd.conf) for settings like 'use chroot = yes' and 'hosts deny' or 'hosts allow' directives.

To detect if reverse DNS resolution is failing inside the chroot, you can test DNS resolution within the chroot environment by attempting to resolve hostnames or checking for the presence of necessary DNS files such as /etc/resolv.conf.

Network commands to check reverse DNS for connecting IPs include:

• dig -x <client-ip>
• host <client-ip>

Monitoring rsync logs for connections from hostnames labeled as 'UNKNOWN' or unexpected hostnames can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade rsync to version 3.4.3 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, you can apply the following workarounds:

• Use IP-based access control lists (ACLs) instead of hostname-based ACLs, as IP-based ACLs are not affected by this vulnerability.
• Ensure that the chroot environment used by the rsync daemon contains the necessary DNS resolution files such as /etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, and NSS service modules to allow proper reverse DNS lookups.

Additionally, monitor your rsync logs for suspicious connections from hostnames resolving to 'UNKNOWN' or unexpected hostnames.

Useful 0 Not Useful 0