default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

The remote host is affected by the vulnerability described in GLSA-201702-05 (Lsyncd: Remote execution of arbitrary code)

    default-rsyncssh.lua in Lsyncd performed insufficient sanitising of       filenames.
  Impact :

    An attacker, able to control files processed by Lsyncd, could possibly       execute arbitrary code with the privileges of the process or cause a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

It was discovered that lsyncd, a daemon to synchronize local directories using rsync, performed insufficient sanitising of filenames which might result in the execution of arbitrary commands.

Fix bad shell argument escaping

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
97111	GLSA-201702-05 : Lsyncd: Remote execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
80574	Debian DSA-3130-1 : lsyncd - security update	Nessus	Debian Local Security Checks	high
79770	Fedora 21 : lsyncd-2.1.5-6.fc21 (2014-15338)	Nessus	Fedora Local Security Checks	high
79673	Fedora 20 : lsyncd-2.1.4-4.fc20.1 (2014-15393)	Nessus	Fedora Local Security Checks	high
79672	Fedora 19 : lsyncd-2.1.4-4.fc19.1 (2014-15373)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2014-8990

critical

Tenable Plugins

high

high

high

high

high