Executive Summary

This vulnerability is an off-by-one out-of-bounds stack write in the rsync client software, specifically in the establish_proxy_connection() function in socket.c. It occurs when the client reads the first response line from an HTTP proxy one byte at a time into a 1024-byte buffer. If the proxy sends a response line of 1023 or more bytes without a newline terminator, the code attempts to add a null byte beyond the buffer boundary, corrupting adjacent stack memory.

This can be exploited by an attacker who controls the proxy server or is positioned between the client and proxy (man-in-the-middle) to send a malformed HTTP proxy response. The vulnerability only affects clients using an HTTP CONNECT proxy via the RSYNC_PROXY environment variable.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is limited to client-side stack memory corruption of one byte. This can cause the rsync client to misbehave or crash.

There is no arbitrary code execution, information disclosure, or server-side exposure associated with this vulnerability. The severity is considered low.

Users who rely on rsync with an HTTP CONNECT proxy and the RSYNC_PROXY environment variable set should upgrade to version 3.4.3 or later to avoid this issue or avoid using untrusted proxies.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when the rsync client uses an HTTP CONNECT proxy via the RSYNC_PROXY environment variable and the proxy returns a response line of 1023 or more bytes without a newline terminator, causing a stack corruption.

To detect this vulnerability on your system, you can check the rsync version to see if it is before 3.4.3, which is vulnerable.

• Run the command: rsync --version

To detect exploitation attempts on your network, monitor HTTP CONNECT proxy responses for unusually long first response lines (1023 bytes or more) without newline terminators.

Specific commands to detect malformed proxy responses are not provided in the resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade rsync to version 3.4.3 or later, which contains a patch that safely handles overly long proxy response lines.

Until you can upgrade, avoid using untrusted HTTP CONNECT proxies with rsync, especially when the RSYNC_PROXY environment variable is set.

If possible, disable the use of the RSYNC_PROXY environment variable or restrict proxy usage to trusted servers.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in rsync before version 3.4.3 involves an off-by-one out-of-bounds stack write that can cause client-side memory corruption when using an HTTP CONNECT proxy. However, there is no indication from the provided information that this vulnerability leads to information disclosure, data breach, or unauthorized access to sensitive data.

Because the impact is limited to client-side stack corruption without arbitrary write capability or information disclosure, it is unlikely that this vulnerability directly affects compliance with data protection regulations such as GDPR or HIPAA.

Nevertheless, organizations relying on rsync in proxy environments should apply the patch or avoid untrusted proxies to maintain secure operations and reduce risk, which supports overall compliance efforts.

Useful 0 Not Useful 0