Headline
CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup
VinChin Backup & Recovery v5.0., v6.0., v6.7., and v7.0. was discovered to contain hardcoded credentials.
Sun Oct 15, 2023 by BloodyShell in vulnerability, research, LeakIX vulnerability, research, LeakIX
Vulnerability research
At LeakIX we analyse new vulnerabilities discovered by other researchers every day.
Our goal is to understand them, discover non-intrusive ways to detect them and provide our customers with a list of vulnerable assets.
While researching what others have already found is always an exciting challenge and provides valuable experience, it was time for us to go through the research and disclosure process first hand and get our first CVE on the board.
We decided to look for issues in critical software. It was natural for us to select the “Infrastructure Backup” category. Such software will hold an entire organisation’s data but also credentials to critical points of the network, including:
- Servers
- Hypervisors
- Storage
- Cloud accounts
VinChin Backup
VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.
It is used by companies like Sony, Guizhou Power Grid, and while its main market is located in Asia, it has decent adoption on other continents and protects over 10,000 clients.
CVE-2023-45499
During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.
The privileges granted are high since ACLs are bypassed for this authentication method.
The list of actions available from the API includes:
- View/Edit/Add/Delete storage
- View/Delete backups
- View/Edit/Add/Delete jobs
- View/Edit/Add/Delete cloud accounts
- View/Edit/Add/Delete hypervisors
- View/Edit/Add/Delete users
- Query various information such as:
- Services status
- System information
- Licensing
The list is non-exhaustive.
CVE-2023-45498
While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.
Demo
Affected versions
During our routine scans we identified vulnerable products starting from 5.0 up until the last known version.
IOC
Any requests made to /api/ from an untrusted IP should be considered suspicious. The log can be found in /var/log/nginx/access.log.
Mitigation
At this point VinChin has not acknowledged the issue despite our multiple requests, we can only recommend to remove all exposed instances from untrusted network.
Timeline
2023-09-22: LeakIX makes initial contact
2023-09-25: VinChin request details
2023-09-25: LeakIX request Safe harbour
2023-09-26: No reply, LeakIX requests update
2023-09-27: No reply, LeakIX sends PoC
2023-09-29: No reply, LeakIX requests feedback
2023-10-05: No reply, LeakIX requests feedback
2023-10-10: No reply, LeakIX requests feedback from alternative email
2023-10-11: No reply, LeakIX requests feedback from another alternative email
2023-10-16: No reply, CVE reserved and vendor notified
2023-10-18: No reply, LeakIX sent 7 day disclosure warning
2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
2023-10-26: No reply, Publishing this advisory
Related news
VinChin Backup and Recovery in VinChin VMWare Backup versions 5.0 through 7.0 suffers from hardcoded credential and remote code execution vulnerabilities.