Detecting and mitigating CVE-2024-12084: rsync remote code execution

On January 14, 2025, a set of vulnerabilities in the "rsync" utility were announced, with the most severe being CVE-2024-12084, a heap overflow that could lead to remote code execution. Rsync is widely used for file synchronization and can operate both locally and remotely, often listening on TCP port 873 as a daemon. While no active exploitation has been observed, detection strategies involve monitoring for unusual command executions using tools like Falco, which can help identify potential arbitrary command executions. Mitigation requires upgrading rsync to version 3.4.0 or ensuring instances are not exposed to the Internet. For those using Sysdig Secure, automated responses, including terminating processes or containers, are supported, and the platform can aid in forensic analysis through syscall capture.