VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.<\/p>\n
VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following vulnerabilities:<\/p>\n
CVE-2023-45499 – VinChin VMWare Backup 5.0 to 7.0
\nDuring our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.<\/p>\n
CVE-2023-45498 – VinChin VMWare Backup 5.0 to 7.0
\nWhile exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.<\/p>\n
Timeline:
\n2023-09-22: LeakIX makes initial contact
\n2023-09-25: VinChin request details
\n2023-09-25: LeakIX request Safe harbour
\n2023-09-26: No reply, LeakIX requests update
\n2023-09-27: No reply, LeakIX sends PoC
\n2023-09-29: No reply, LeakIX requests feedback
\n2023-10-05: No reply, LeakIX requests feedback
\n2023-10-10: No reply, LeakIX requests feedback from alternative email
\n2023-10-11: No reply, LeakIX requests feedback from another alternative email
\n2023-10-16: No reply, CVE reserved and vendor notified
\n2023-10-18: No reply, LeakIX sent 7 day disclosure warning
\n2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
\n2023-10-26: No reply, Publishing this advisory<\/p>\n","protected":false},"excerpt":{"rendered":"
VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage. VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following vulnerabilities: CVE-2023-45499 – …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50716","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50716"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50716\/revisions"}],"predecessor-version":[{"id":50751,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50716\/revisions\/50751"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}