lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Oct 2023 23:23:46 +0000 From: Gregory Boddin via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] LKX-2023-001 VinChin VMWare Backup VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage. VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following vulnerabilities: CVE-2023-45499 - VinChin VMWare Backup 5.0 to 7.0 During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials. CVE-2023-45498 - VinChin VMWare Backup 5.0 to 7.0 While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server. Timeline: 2023-09-22: LeakIX makes initial contact 2023-09-25: VinChin request details 2023-09-25: LeakIX request Safe harbour 2023-09-26: No reply, LeakIX requests update 2023-09-27: No reply, LeakIX sends PoC 2023-09-29: No reply, LeakIX requests feedback 2023-10-05: No reply, LeakIX requests feedback 2023-10-10: No reply, LeakIX requests feedback from alternative email 2023-10-11: No reply, LeakIX requests feedback from another alternative email 2023-10-16: No reply, CVE reserved and vendor notified 2023-10-18: No reply, LeakIX sent 7 day disclosure warning 2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network. 2023-10-26: No reply, Publishing this advisory Download attachment "publickey - gregory@...kix.net - 0x6E783F68.asc" of type "application/pgp-keys" (649 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (250 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists