CVE-2022-29154 in rsync
Summary
by MITRE • 08/02/2022
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2025
The vulnerability identified as CVE-2022-29154 represents a critical security flaw in the rsync file synchronization utility affecting versions prior to 3.2.5. This issue stems from inadequate input validation mechanisms within the rsync client implementation, creating a scenario where remote malicious servers can manipulate file operations on client systems. The flaw manifests when a client connects to an untrusted rsync server, allowing the server to dictate which files are transferred and potentially overwrite existing files in the client's target directory structure. This vulnerability directly impacts the integrity and confidentiality of file systems, particularly exposing systems to unauthorized modifications that could compromise system security and access controls.
The technical root cause of this vulnerability lies in the insufficient validation of file paths and names during the rsync client processing phase. According to CWE-22, this represents a path traversal vulnerability where the client fails to properly sanitize file names received from remote servers. The rsync protocol operates on a client-server model where the server controls what files are sent to the client, but the client's failure to validate these file paths creates an attack surface. When malicious servers send specially crafted file names that include directory traversal sequences or absolute paths, the client processes these without adequate safeguards, leading to arbitrary file overwrites. This behavior aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter, as attackers can leverage this vulnerability to execute malicious file operations within the client's file system.
The operational impact of CVE-2022-29154 extends beyond simple file overwrites, creating significant risks for system administrators and security practitioners. Attackers exploiting this vulnerability can target critical system files including configuration files, authentication data, and sensitive directories such as .ssh/authorized_keys, which would allow for persistent unauthorized access to systems. The vulnerability is particularly dangerous in environments where users connect to untrusted rsync servers or when man-in-the-middle attacks are possible, as these scenarios provide attackers with the opportunity to manipulate file transfers. The attack vector requires minimal privileges from the attacker's perspective, as they only need to control a malicious rsync server or intercept network traffic, making this vulnerability particularly concerning for organizations that rely on rsync for file synchronization operations.
Mitigation strategies for CVE-2022-29154 primarily focus on upgrading to rsync version 3.2.5 or later, which includes proper input validation and sanitization mechanisms. Organizations should implement network segmentation and access controls to limit rsync server access to trusted entities only, reducing the risk of connecting to malicious servers. Additionally, administrators should consider implementing network monitoring to detect unusual rsync traffic patterns and employ intrusion detection systems that can identify potential exploitation attempts. The vulnerability demonstrates the importance of input validation in network protocols, reinforcing principles from the OWASP Top 10 security framework where insufficient logging and monitoring can lead to successful exploitation. System administrators should also review and tighten file system permissions for sensitive directories, ensuring that even if arbitrary file overwrites occur, the impact is minimized through proper access controls and privilege separation mechanisms.