Other official information and services: www.belgium.be

WARNING: CRITICAL HEAP-BASED BUFFER OVERFLOW LEADING TO RCE IN RSYNC FOR RHEL8.6, PATCH IMMEDIATELY!

Reference:

Advisory #2024-11

Version:

1.0

Affected software:

rsync for RHEL 8.6

Type:

Heap-based buffer overflow

CVE/CVSS:

CVE-2022-37434 :CVSS 9.8 (NVD) - 7.0 (RHEL)

NVD 9.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
RHEL 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Date:

22/01/2024

Sources

https://access.redhat.com/errata/RHSA-2024:0254

Risks

CVE-2022-37434 is a critical heap-based buffer overflow vulnerability in zlib that is used in rsync. An attacker could exploit this vulnerability to trigger remote code execution on the exploited system. The exploit is triggered by passing a specially crafted file to the affected application.

According to the Redhat security advisory, exploitation of the zlib implementation in rsync has a low impact on confidentiality and integrity because the flaw could trigger a segmentation violation, but still not gain full access to the system. The impact on availability is high.

There has been no observation of active exploitation of this vulnerability.

Description

CVE-2022-37434 is a vulnerability in the inflate.c function. The flaw is triggered via exploiting a large gzip header extra field via the call inflateGetheader. This can be done by passing a specially crafted file to the affected application that does a call to the inflateGetheader. Parsing this specially crafted file causes a heap-based buffer over-read or buffer overflow in the inflate.c function causing additional code to be executed with the privileges of the application.

It is important to note that some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader.

Affected products that implement rsync:
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
• Red Hat Enterprise Linux Server - AUS 8.6 x86_64
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.6 x86_64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Follow the instructions provided by Red Hat on “https://access.redhat.com/errata/RHSA-2024:0254” to update the vulnerable rsync package.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-37434

https://access.redhat.com/security/cve/CVE-2022-37434