The team responsible for Rsync, an open-source file-transfer program, has released a fix for a security flaw used in the recent compromise of a Gentoo Linux project server.
The team said that the attacker used a flaw in Rsync along with a recently-announced bug in the Linux kernel to penetrate the security of the Gentoo machine, which was subsequently taken offline for analysis. Debian Linux project servers were recently compromised using the same Linux kernel flaw, which allows an integer overflow in the system call. This problem has been repaired in a patched version of the Linux kernel.
Rsync is a file transfer program for Unix systems that is tailored for transfers of incremental software changes -- for example, it can be set up to transfer only modified parts of a file, rather than the entire file.
The attack and compromise of Gentoo's server came after several machines belonging to the Debian Linux project were breached by attackers last month. A forensic analysis of the Debian machines revealed no software packages or source code offered for download were affected -- a claim now being made by Gentoo. Gentoo and Debian are both distributions of the open-source operating system based on the Linux kernel, which is highly popular for servers.
The flaw in Rsync versions 2.5.6 and earlier cannot be used on its own to remotely gain administrator, or root, access to a Rsync server, but could be used with the kernel flaw for a full remote compromise -- as was apparently the case with Gentoo's Rsync server. Gentoo's compromised server used a configuration option that made the attack easier, the Rsync team said. The exploit does not work unless Rsync is being used as a server.
Users are recommended to immediately upgrade to the fixed version of Rsync, version 2.5.7, upgrade to a version of the Linux kernel later than 2.4.23, and turn off the "use chroot = no" option in Rsync. Instructions and Rsync patches are available from Rsync's Web site.