How to remediate – rsync STARTTLS Command Support

1. Introduction

The rsync STARTTLS Command Support vulnerability means that the remote rsync service allows encryption of data in transit using the ‘#starttls’ command. This is a concern because, while it enables encryption, it doesn’t enforce it and cleartext communication remains possible. Systems running rsync are usually affected, especially those used for backups or file synchronisation. A successful exploit could lead to information disclosure, impacting confidentiality of transferred data.

2. Technical Explanation

The vulnerability arises from the rsync server accepting the ‘#starttls’ command without requiring encryption. An attacker can initiate a connection and negotiate either an encrypted or unencrypted channel. This means sensitive data may be transmitted in plain text if the client does not explicitly request encryption, or if the negotiation fails. There is no known CVE associated with this specific configuration issue. A simple example would involve connecting to the rsync server and initiating a file transfer without specifying STARTTLS, resulting in cleartext communication.

• Root cause: The rsync server does not mandate encrypted connections when using the ‘#starttls’ command.
• Exploit mechanism: An attacker connects to the rsync server and initiates a data transfer without requesting encryption via STARTTLS.
• Scope: All systems running rsync versions that support the ‘#starttls’ command are potentially affected.

3. Detection and Assessment

You can confirm if your system is vulnerable by checking whether the rsync service supports the STARTTLS command. A quick check involves attempting a connection with and without STARTTLS.

• Quick checks: Use `rsync –version` to identify the installed version of rsync. Then, attempt a connection using `rsync -avz –rsh=’ssh -o StrictHostKeyChecking=no’ user@host ls` followed by `rsync -avz –rsh=’ssh -o StrictHostKeyChecking=no -o ‘nc -l 12345 | /usr/bin/rsync –daemon –server –protocol-version=38 –socket-addr=localhost:0’ user@host ls`.
• Scanning: Nessus plugin ID 16792 can detect this issue. This is an example only and may require updates.
• Logs and evidence: Check rsync logs (location varies by distribution, often /var/log/rsyncd.log) for connection attempts and negotiation details. Look for messages indicating cleartext communication.

rsync --version

4. Solution / Remediation Steps

To fix this issue, configure rsync to require encryption when using STARTTLS or disable the feature if it is not required.

4.1 Preparation

• Ensure you have access to edit the rsyncd.conf file and restart the rsync service. A roll back plan involves restoring the original rsyncd.conf file and restarting the service.
• A change window may be needed if this impacts production backups or synchronisation processes. Approval from system owners is recommended.

4.2 Implementation

1. Step 1: Edit the rsync configuration file (rsyncd.conf).
2. Step 2: Add the line `ssl = yes` to enforce encrypted connections.
3. Step 3: Restart the rsync service using `systemctl restart rsync`.

4.3 Config or Code Example

Before

# rsyncd.conf
uid = nobody
gid = nobody
use chroot = yes
max connections = 4
timeout = 300

After

# rsyncd.conf
uid = nobody
gid = nobody
use chroot = yes
max connections = 4
timeout = 300
ssl = yes

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

• Practice 1: Least privilege – run the rsync service with minimal necessary permissions to limit potential damage if compromised.
• Practice 2: Safe defaults – configure rsync with secure settings by default, such as requiring encryption and limiting access.

4.5 Automation (Optional)

If using Ansible, you can automate the configuration change.

---
- hosts: all
  become: yes
  tasks:
    - lineinfile:
        path: /etc/rsyncd.conf
        regexp: '^ssl ='
        line: ssl = yes
        state: present
    - service:
        name: rsync
        state: restarted

5. Verification / Validation

Confirm the fix by checking that rsync now requires encryption. Attempt a connection without STARTTLS and verify it fails.

• Post-fix check: Run `rsync -avz –rsh=’ssh -o StrictHostKeyChecking=no’ user@host ls`. The connection should fail with an error related to SSL/TLS negotiation.
• Re-test: Re-run the quick check from Section 3, attempting a connection without STARTTLS. It should now be rejected.
• Monitoring: Monitor rsync logs for any errors related to SSL/TLS connections. Look for messages indicating successful encrypted connections.

rsync -avz --rsh='ssh -o StrictHostKeyChecking=no' user@host ls

6. Preventive Measures and Monitoring

Update security baselines to include the requirement for rsync encryption. For example, a CIS control or GPO/Intune setting can enforce this.

• Baselines: Update your security baseline to require `ssl = yes` in the rsyncd.conf file.
• Asset and patch process: Review rsync configurations regularly as part of a vulnerability management process, at least quarterly.

7. Risks, Side Effects, and Roll Back

Enforcing encryption may cause compatibility issues with older clients that do not support STARTTLS.

• Roll back: Step 1: Restore the original rsyncd.conf file. Step 2: Restart the rsync service using `systemctl restart rsync`.

8. References and Resources

Links related to this exact vulnerability.

• Vendor advisory or bulletin: https://en.wikipedia.org/wiki/Rsync
• NVD or CVE entry: No specific CVE exists for this configuration issue.
• Product or platform documentation relevant to the fix: https://rsync.sourceforge.io/rsyncd.html