[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [Full Disclosure] CVE-2024-22899: Unpatched Command Injection in Vinchin Backup and Recovery Versions 7.2 and Earlier

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] [Full Disclosure] CVE-2024-22899: Unpatched Command Injection in Vinchin Backup and Recovery Versions 7.2 and Earlier
From: Valentin Lobstein via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Thu, 25 Jan 2024 19:19:30 +0000

CVE ID: CVE-2024-22899

Title: Command Injection Vulnerability in Vinchin Backup and Recovery's 
syncNtpTime Function in Versions 7.2 and Earlier

Description:
A critical security vulnerability, identified as CVE-2024-22899, has been 
discovered in the `syncNtpTime` function of Vinchin Backup and Recovery 
software. This issue affects versions 7.2 and earlier. The function, part of 
the `SystemHandler.class.php` file, is designed for synchronizing system time 
with NTP servers but is prone to a command injection vulnerability due to 
improper handling of user input.

Function Analysis:
- The function is responsible for handling the `ntphost` parameter, which is 
expected to contain the address of the NTP server.
- The vulnerability stems from the direct concatenation of this parameter into 
a system command line, without adequate validation or sanitization.
- This design flaw allows an attacker to inject arbitrary commands into the 
`ntphost` parameter, which are then executed by the system.

Current Status:
As of now, there is no patch available for this vulnerability in versions 7.2 
and earlier of Vinchin Backup and Recovery. Users of these versions are at risk 
of exploitation.

Recommendation:
It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier 
to remain alert and monitor for updates from Vinchin. Once a patch becomes 
available, it should be applied immediately to mitigate the risk posed by this 
vulnerability.

Conclusion:
The discovery of CVE-2024-22899 underscores the importance of rigorous input 
validation and sanitization in software development. This vulnerability poses a 
severe security risk, potentially leading to unauthorized system access or 
control.

Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] [Full Disclosure] CVE-2024-22900: Unpatched Command Injection in Vinchin Backup and Recovery Versions 7.2 and Earlier
Next by Date: [FD] [Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 and Earlier
Previous by thread: [FD] [Full Disclosure] CVE-2024-22900: Unpatched Command Injection in Vinchin Backup and Recovery Versions 7.2 and Earlier
Next by thread: [FD] [Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 and Earlier
Index(es):
- Date
- Thread