Chúng tôi sử dụng cookie để giúp cải thiện trang web của mình. Vui lòng Đọc dữ liệu của chúng tôi Chính sách cookie .
Tư vấn bảo mật sản phẩm ASUSTOR

AS-2026-012: Rsync

2026-05-21

Severity

Important

Status

Ongoing

Statement

The Rsyn team announced multiple vulnerabilities that have been fixed in the latest release of Rsyn.

CVE-2026-29518, CVE-2026-43617, CVE-2026-43618 and CVE-2024-12084 affected ASUSTOR products with from ADM 4.1 to ADM 5.1. Updates with Rsyn 3.4.3 will be released as soon as possible.


Affected Products

Product Severity Fixed Release Availability
ADM 5.0 and 5.1 Important Ongoing
ADM 4.3, 4.2 and 4.1 Important Ongoing

Detail

  • CVE-2026-29518
    • Severity: High
    • CVSS4 Base Score: 7.3
    • CVSS4 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    • Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
  • CVE-2026-43617
    • Severity: Medium
    • CVSS4 Base Score: 6.3
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
    • Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.
  • CVE-2026-43618
    • Severity: Medium
    • CVSS4 Base Score: 6.1
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
    • Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.
  • CVE-2024-12084
    • Severity: Critical
    • CVSS3.1 Base Score: 9.8
    • CVSS3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

Reference


Revision

Revision Date Description
1 2026-05-21 Initial public release.