The latest versions of HAProxy Fusion fix multiple rsync vulnerabilities related to memory handling and file management in HAProxy Fusion’s Linux-based virtual images. Specifically, attackers can take advantage of weaknesses in rsync checksum mechanisms and symbolic link verification processes.
These five CVEs only affect components within HAProxy Fusion binaries. We'll cover each in greater detail before sharing remediation steps.
If you are using HAProxy Fusion virtual images, you should upgrade to the fixed version as soon as possible. There are no workarounds available.
If you are using HAProxy Fusion installation packages, you should upgrade your rsync packages to the latest version following the usual procedure for your operating system.
High-impact CVEs
CVE-2024-12085
This CVE exposes a flaw within the rsync daemon which could be triggered when rsync compares file checksums. This allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory, and leak one byte of uninitialized stack data at a time.
This impacts all rsync versions.
CVE-2024-12086
This CVE exposes a flaw within rsync that could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs as files are copied from client to server. During this process, the rsync server will send checksums of local data to the client for comparison to determine what data needs to be sent back. By sending carefully constructed checksum values for arbitrary files, an attacker may be able to reconstruct file data byte-by-byte based on responses from the client.
This impacts all rsync versions.
CVE-2024-12087
This CVE exposes a path traversal vulnerability within rsync stemming from behavior enabled by the --inc-recursive option. This is enabled by default for many client options and can be enabled by the server even if not explicitly enabled by the client.
When using the --inc-recursive option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid client directories and paths.
This impacts all rsync versions.
CVE-2024-12088
This CVE exposes a verification flaw within rsync. When using the --safe-links option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the intended directory.
This impacts all rsync versions.
CVE-2024-12747
This CVE exposes a flaw within rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. By default, rsync skips symbolic links upon encountering them. If an attacker replaces a regular file with a symbolic link at a precise time, it is possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information — potentially leading to privilege escalation.
This impacts all rsync versions.
Affected versions and remediation
HAProxy Technologies released new versions of HAProxy Fusion virtual images on Tuesday, 21 January 2025. You can identify the fixed versions by the release date 20250121 or later.
These releases patch the vulnerability described in CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747 (CVSSv3 scores ranging from 5.6 to 7.5).
Users should immediately upgrade to these fixed HAProxy Fusion virtual images by following our HAProxy Fusion upgrade instructions.
Support
If you are a customer and have questions about upgrading to the latest version, please get in touch with the HAProxy support team.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
