LKX-2023-001 VinChin VMWare Backup
2023-10-28 01:3:19 Author: seclists.org(查看原文) 阅读量:13 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: Gregory Boddin via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 25 Oct 2023 23:23:46 +0000

VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen 
Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.

VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following 
vulnerabilities:

CVE-2023-45499 - VinChin VMWare Backup 5.0 to 7.0
During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded 
credentials.

CVE-2023-45498 - VinChin VMWare Backup 5.0 to 7.0
While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper 
input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code 
with the permissions of the web server.


Timeline:
2023-09-22: LeakIX makes initial contact
2023-09-25: VinChin request details
2023-09-25: LeakIX request Safe harbour
2023-09-26: No reply, LeakIX requests update
2023-09-27: No reply, LeakIX sends PoC
2023-09-29: No reply, LeakIX requests feedback
2023-10-05: No reply, LeakIX requests feedback
2023-10-10: No reply, LeakIX requests feedback from alternative email
2023-10-11: No reply, LeakIX requests feedback from another alternative email
2023-10-16: No reply, CVE reserved and vendor notified
2023-10-18: No reply, LeakIX sent 7 day disclosure warning
2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
2023-10-26: No reply, Publishing this advisory

Attachment: publickey - [email protected] - 0x6E783F68.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • LKX-2023-001 VinChin VMWare Backup Gregory Boddin via Fulldisclosure (Oct 27)

文章来源: https://seclists.org/fulldisclosure/2023/Oct/31
如有侵权请联系:admin#unsafe.sh