Security news that informs and inspires

Misconfigured Backup Servers Potentially Exposing Data

A widely used backup and file synchronization utility is not being configured with sufficient security controls, potentially exposing thousands of sensitive files on the Internet, researchers from Rapid7 Labs said.

The rsync utility synchronizes files across systems and is commonly used in enterprises for archiving and backup purposes. The utility sorts files and directories into modules, and looking in the module lists the names, file sizes, and user permissions for each of the files and directories being stored on the server. Rapid7 Labs looked at Project Sonar data for machines on the public internet exposing some kind of service on TCP port 873—the port commonly used by rsync. Of the 231,000 rsync servers found, 14,000 systems had more than 5.3 million files “at possible risk of unauthorized read or write,” wrote Jon Hart, a senior security researcher at Rapid7, and Shan Sikdar, a Rapid7 data engineer. Anyone could see the contents of these modules—with names such as home, NetBackup, surveillance, and backup, as well as names associated with the Linux file system, such as etc, root, and debian—on these servers. Some filenames inside the modules included rsyncd.conf, passwd, and main.conf.

“Overall, the names of these modules suggest that most of these publicly available rsync instances are being used for backup and archival purposes, which is not surprising given rsync’s purpose and history,” Hart and Sikdar wrote. 

Rapid7 Labs, along with Swiss consultancy Binary Edge, found that approximately 18 percent of rsync servers identified in this analysis required authentication before displaying the list of modules. Presumably, if authentication is required just to peer inside a module, then authentication—or some other security control—would be needed to read or write the files and directory within. By that logic, systems that do not require authentication before providing the list of modules would potentially allow unauthorized users to read or modify the module’s contents.

“It is likely that there is a vast, unexplored treasure trove of sensitive data exposed by simple misconfigurations of rsync-enabled storage, backup, and archive devices,” Hart and Sikdar wrote.

“The more severe risk comes from when these potentially sensitive files are readable—or worse, writable—without authentication,” the researchers wrote.

Just the act of listing the contents of modules isn’t automatically a problem, and exposing rsync on the internet is not automatically a bad idea. In the case of a file distribution platform—an open source repository to distribute an application, for example—listing the modules publicly is desired behavior. In the case of a backup server, though, letting anyone see what information is stored is potentially a problem.

In July, security researcher Chris Vickery found an exposed backup server containing 10 years worth of corporate documents—assembly line schematics, factory floor plans, and robotic configurations, to name a few—from more than 100 manufacturing companies, including automakers GM, Fiat Chrysler, Ford, Tesla, Toyota, and Volkswagen. The exposed rsync server, belonging to industrial automation services supplier Level One Robotics, did not require authentication or have specific access restrictions. As a result, anyone who knew where to look would have been able to access these confidential documents.

One of the reasons for so many exposed rsync servers may have to do with the fact that many vendors, such as QNAP, Synology, and Buffalo, use rsync for their cloud-accessible network storage devices, the researchers said. These devices are designed to be easy to use, which make them also easy to misconfigure, leading users to unknowingly exposing their files on the internet. The answer isn't more documentation, since that can be more confusing.

“It is likely that there is a vast, unexplored treasure trove of sensitive data exposed by simple misconfigurations of rsync-enabled storage, backup, and archive devices,” Hart and Sikdar wrote.

While at one point, it was “fine” to put rsync servers on the internet, the current threat landscape has shown that “rsync on the public internet is no longer OK,” Hart and Sikdar said. The “only remotely acceptable” use case is for file distribution, and even that is risky, as it exposes users to potential snooping and man-in-the-middle attacks.

In situations where rsync “absolutely must” must be on the internet, administrators should turn on authentication settings in the rsyncd.conf configuration file. Rsync has some built-in security features, such as host- and file-level access control lists, which can be used to set read-only and write-only options. Even though the utility doesn’t natively encrypt data in transit, the data can be protected if rsync is used over a Secure Shell (SSH) tunnel. Another method is to restrict the privileges assigned to the user account running rsync—the utility is typically run by root or a similarly privileged user, so reducing the the user permissions can block unauthorized attempts to read or write the files. At the very least, the rsync server should limit which IP addresses it accepts connections from.

It is understandable that, nestled behind a firewall, many users might even disable authentication entirely for their backup system or use default or easily guessed credentials," the researchers wrote. "Combined with enabling remote access, as previously described, accidental exposure is just a misclick away.