Headline
VinChin VMWare Backup 7.0 Hardcoded Credential / Remote Code Execution
VinChin Backup and Recovery in VinChin VMWare Backup versions 5.0 through 7.0 suffers from hardcoded credential and remote code execution vulnerabilities.
VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following vulnerabilities:CVE-2023-45499 - VinChin VMWare Backup 5.0 to 7.0During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.CVE-2023-45498 - VinChin VMWare Backup 5.0 to 7.0While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.Timeline:2023-09-22: LeakIX makes initial contact2023-09-25: VinChin request details2023-09-25: LeakIX request Safe harbour2023-09-26: No reply, LeakIX requests update2023-09-27: No reply, LeakIX sends PoC2023-09-29: No reply, LeakIX requests feedback2023-10-05: No reply, LeakIX requests feedback2023-10-10: No reply, LeakIX requests feedback from alternative email2023-10-11: No reply, LeakIX requests feedback from another alternative email2023-10-16: No reply, CVE reserved and vendor notified2023-10-18: No reply, LeakIX sent 7 day disclosure warning2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.2023-10-26: No reply, Publishing this advisory
Related news
CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.
CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.