Vinchin Backup And Recovery 7.2 syncNtpTime Command Injection

`CVE ID: CVE-2024-22899  
  
Title: Command Injection Vulnerability in Vinchin Backup and Recovery's syncNtpTime Function in Versions 7.2 and Earlier  
  
Description:  
A critical security vulnerability, identified as CVE-2024-22899, has been discovered in the `syncNtpTime` function of Vinchin Backup and Recovery software. This issue affects versions 7.2 and earlier. The function, part of the `SystemHandler.class.php` file, is designed for synchronizing system time with NTP servers but is prone to a command injection vulnerability due to improper handling of user input.  
  
Function Analysis:  
- The function is responsible for handling the `ntphost` parameter, which is expected to contain the address of the NTP server.  
- The vulnerability stems from the direct concatenation of this parameter into a system command line, without adequate validation or sanitization.  
- This design flaw allows an attacker to inject arbitrary commands into the `ntphost` parameter, which are then executed by the system.  
  
Current Status:  
As of now, there is no patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup and Recovery. Users of these versions are at risk of exploitation.  
  
Recommendation:  
It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier to remain alert and monitor for updates from Vinchin. Once a patch becomes available, it should be applied immediately to mitigate the risk posed by this vulnerability.  
  
Conclusion:  
The discovery of CVE-2024-22899 underscores the importance of rigorous input validation and sanitization in software development. This vulnerability poses a severe security risk, potentially leading to unauthorized system access or control.  
  
Signed,Valentin Lobstein  
  
`