'[FD] [Full Disclosure] CVE-2024-22899: Unpatched Command Injection in Vinchin Backup and Recovery Ve'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [Full Disclosure] CVE-2024-22899: Unpatched Command Injection in Vinchin Backup and Recovery Ve
From:       Valentin Lobstein via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2024-01-25 19:19:30
Message-ID: foUERLutgWK21zUA6XEIToLcbFASxA7r8Do9zF_A7KrGrDnxpLiZpzKdP5QEOm6MNSYmg1b65_pZcPYCsbSNG1IbWKCH-Ij-7JwSDGoKMhk= () protonmail ! com
[Download RAW message or body]

CVE ID: CVE-2024-22899

Title: Command Injection Vulnerability in Vinchin Backup and Recovery's syncNtpTime Function in \
Versions 7.2 and Earlier

Description:
A critical security vulnerability, identified as CVE-2024-22899, has been discovered in the \
`syncNtpTime` function of Vinchin Backup and Recovery software. This issue affects versions 7.2 \
and earlier. The function, part of the `SystemHandler.class.php` file, is designed for \
synchronizing system time with NTP servers but is prone to a command injection vulnerability \
due to improper handling of user input.

Function Analysis:
- The function is responsible for handling the `ntphost` parameter, which is expected to \
                contain the address of the NTP server.
- The vulnerability stems from the direct concatenation of this parameter into a system command \
                line, without adequate validation or sanitization.
- This design flaw allows an attacker to inject arbitrary commands into the `ntphost` \
parameter, which are then executed by the system.

Current Status:
As of now, there is no patch available for this vulnerability in versions 7.2 and earlier of \
Vinchin Backup and Recovery. Users of these versions are at risk of exploitation.

Recommendation:
It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier to remain alert \
and monitor for updates from Vinchin. Once a patch becomes available, it should be applied \
immediately to mitigate the risk posed by this vulnerability.

Conclusion:
The discovery of CVE-2024-22899 underscores the importance of rigorous input validation and \
sanitization in software development. This vulnerability poses a severe security risk, \
potentially leading to unauthorized system access or control.

Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 