Vulnerabilities > CVE-2018-5764
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
Vulnerable Configurations
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0132_RSYNC.NASL description An update of the rsync package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121838 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121838 title Photon OS 1.0: Rsync PHSA-2018-1.0-0132 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-1.0-0132. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(121838); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/02/07"); script_cve_id("CVE-2018-5764"); script_name(english:"Photon OS 1.0: Rsync PHSA-2018-1.0-0132"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the rsync package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-132.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8822"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/03"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:rsync"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-1.0", reference:"rsync-3.1.3-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"rsync-debuginfo-3.1.3-1.ph1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rsync"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2018-034101216D.NASL description Removing dependencies on systemd-units ---- New version 3.1.3, includes security fix for CVE-2018-5764 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-02-06 plugin id 106611 published 2018-02-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106611 title Fedora 26 : rsync (2018-034101216d) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0132.NASL description An update of 'linux-esx', 'rsync', 'linux' packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111934 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111934 title Photon OS 1.0: Linux / Rsync PHSA-2018-1.0-0132 (deprecated) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1944.NASL description According to the versions of the rsync package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing last seen 2020-06-01 modified 2020-06-02 plugin id 128947 published 2019-09-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128947 title EulerOS Virtualization for ARM 64 3.0.2.0 : rsync (EulerOS-SA-2019-1944) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1049.NASL description According to the version of the rsync package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.(CVE-2018-5764) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-02-13 plugin id 106777 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106777 title EulerOS 2.0 SP1 : rsync (EulerOS-SA-2018-1049) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0174-1.NASL description This update for rsync fixes one issues. This security issue was fixed : - CVE-2018-5764: The parse_arguments function in options.c did not prevent multiple --protect-args uses, which allowed remote attackers to bypass an argument-sanitization protection mechanism (bsc#1076503). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106263 published 2018-01-23 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106263 title SUSE SLED12 / SLES12 Security Update : rsync (SUSE-SU-2018:0174-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1050.NASL description According to the version of the rsync package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.(CVE-2018-5764) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-02-13 plugin id 106778 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106778 title EulerOS 2.0 SP2 : rsync (EulerOS-SA-2018-1050) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1247.NASL description It was discovered that there was an injection vulnerability in the rsync file-copying tool. For Debian 7 last seen 2020-03-17 modified 2018-01-19 plugin id 106174 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106174 title Debian DLA-1247-1 : rsync security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1806.NASL description According to the versions of the rsync package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.(CVE-2018-5764) - The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing last seen 2020-05-06 modified 2019-08-23 plugin id 128098 published 2019-08-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128098 title EulerOS 2.0 SP5 : rsync (EulerOS-SA-2019-1806) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-032-02.NASL description New rsync packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106565 published 2018-02-02 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106565 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : rsync (SSA:2018-032-02) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1497.NASL description According to the versions of the rsync package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing last seen 2020-04-30 modified 2020-04-16 plugin id 135659 published 2020-04-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135659 title EulerOS Virtualization 3.0.2.2 : rsync (EulerOS-SA-2020-1497) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0172-1.NASL description This update for rsync fixes one issues. This security issue was fixed : - CVE-2018-5764: The parse_arguments function in options.c did not prevent multiple --protect-args uses, which allowed remote attackers to bypass an argument-sanitization protection mechanism (bsc#1076503) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106261 published 2018-01-23 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106261 title SUSE SLES11 Security Update : rsync (SUSE-SU-2018:0172-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0041.NASL description An update of {'ceph', 'linux-esx', 'rsync', 'linux', 'linux-secure', 'linux-aws'} packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111300 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111300 title Photon OS 2.0 : ceph / linux-esx / rsync / linux / linux-secure / linux-aws (PhotonOS-PHSA-2018-2.0-0041) (deprecated) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0041_RSYNC.NASL description An update of the rsync package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121943 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121943 title Photon OS 2.0: Rsync PHSA-2018-2.0-0041 NASL family Fedora Local Security Checks NASL id FEDORA_2018-D0EBFAB3F3.NASL description New version 3.1.3, includes security fix for CVE-2018-5764 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-02-07 plugin id 106646 published 2018-02-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106646 title Fedora 27 : rsync (2018-d0ebfab3f3) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-237.NASL description This update for rsync fixes one issues. This security issue was fixed : - CVE-2018-5764: The parse_arguments function in options.c did not prevent multiple --protect-args uses, which allowed remote attackers to bypass an argument-sanitization protection mechanism (bsc#1076503). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-03-09 plugin id 107244 published 2018-03-09 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/107244 title openSUSE Security Update : rsync (openSUSE-2018-237) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1725.NASL description Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast, versatile, remote (and local) file-copying tool, uses an embedded copy of zlib, those issues are also present in rsync. CVE-2016-9840 In order to avoid undefined behavior, remove offset pointer optimization, as this is not compliant with the C standard. CVE-2016-9841 Only use post-increment to be compliant with the C standard. CVE-2016-9842 In order to avoid undefined behavior, do not shift negative values, as this is not compliant with the C standard. CVE-2016-9843 In order to avoid undefined behavior, do not pre-decrement a pointer in big-endian CRC calculation, as this is not compliant with the C standard. CVE-2018-5764 Prevent remote attackers from being able to bypass the argument-sanitization protection mechanism by ignoring --protect-args when already sent by client. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 123019 published 2019-03-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123019 title Debian DLA-1725-1 : rsync security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3543-1.NASL description It was discovered that rsync incorrectly handled certain data input. An attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2017-16548) It was discovered that rsync incorrectly parsed certain arguments. An attacker could possibly use this to bypass arguments and execute arbitrary code. (CVE-2018-5764). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106295 published 2018-01-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106295 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : rsync vulnerabilities (USN-3543-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1244.NASL description According to the versions of the rsync package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.(CVE-2017-17433) - The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in last seen 2020-06-01 modified 2020-06-02 plugin id 117553 published 2018-09-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117553 title EulerOS Virtualization 2.5.0 : rsync (EulerOS-SA-2018-1244) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201805-04.NASL description The remote host is affected by the vulnerability described in GLSA-201805-04 (rsync: Arbitrary command execution) A vulnerability was discovered in rsync’s parse_arguments function in options.c. Impact : Remote attackers could possibly execute arbitrary commands with the privilege of the process. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 109627 published 2018-05-09 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/109627 title GLSA-201805-04 : rsync: Arbitrary command execution
References
- http://www.securityfocus.com/bid/102803
- http://www.securityfocus.com/bid/102803
- http://www.securitytracker.com/id/1040276
- http://www.securitytracker.com/id/1040276
- https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
- https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
- https://git.samba.org/rsync.git/?p=rsync.git%3Ba=commit%3Bh=7706303828fcde524222babb2833864a4bd09e07
- https://git.samba.org/rsync.git/?p=rsync.git%3Ba=commit%3Bh=7706303828fcde524222babb2833864a4bd09e07
- https://lists.debian.org/debian-lts-announce/2018/01/msg00021.html
- https://lists.debian.org/debian-lts-announce/2018/01/msg00021.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
- https://lists.debian.org/debian-lts-announce/2021/11/msg00028.html
- https://lists.debian.org/debian-lts-announce/2021/11/msg00028.html
- https://security.gentoo.org/glsa/201805-04
- https://security.gentoo.org/glsa/201805-04
- https://usn.ubuntu.com/3543-1/
- https://usn.ubuntu.com/3543-1/