Webmin, a web-based application for system administrators of Unix-based systems (Linux, FreeBSD, or OpenBSD servers), contains a backdoor that could allow remote attackers to execute malicious commands with root privileges. A compromised system can later be used to navigate further attacks against the systems managed through Webmin.
What is Webmin? Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely, the official website says.
Webmin also allows system administrators to modify settings and internals at OS level, create new users, and update the configurations of applications running on remote systems, such as Apache, BIND, MySQL, PHP, Exim. Because of these conveniences and the overall importance of Webmin in the Linux ecosystem, the tool is used by many system administrators, and the threat it poses is huge.
At risk are more than 1,000,000 installations worldwide. Shodan data shows that there are some 215,000 public Webmin instances which are open to attacks. These instances can be compromised without the need of access to internal networks or bypassing firewalls.
CVE-2019-15107 Webmin Vulnerability
The issue is stemming from a vulnerability spotted by security researcher Özkan Mustafa Akkuş who found a loophole in Webmin’s source code. The flaw enabled unauthenticated threat actors to run code on the servers running the app. The flaw is now known as CVE-2019-15107. The researcher presented his findings during the AppSec Village at the DEF CON 27 security conference in Las Vegas earlier this month.
After Akkuş’s presentation other researchers started looking deeper into the CVE-2019-15107 problem only to discover that it is a vulnerability of great impact.
One of Webmin’s developers says that the CVE-2019-15107 vulnerability is not a result of a coding mistake but rather malicious code injected into compromised build infrastructure.
Furthermore, this code was present in Webmin download packages on SourceForge and not on GitHub. Of course, this fact doesn’t change the impact of the vulnerability – in fact, SourceForge is listed as the official download on the official website of Webmin.
Further information is needed to clarify whether the compromised build infrastructure is related to a compromised system of the developer who created the code, or to a compromised account on SourceForge. Such an account might have been used by an attacker to upload a malicious Webmin version. According to SourceForge, the attacker hasn’t exploited any flaws in the platform. SourceForge only hosted the code uploaded by the project admins via their own accounts.
Note that all Webmin versions between 1.882 and 1.921 that were downloaded from SourceForge are vulnerable. Webmin version 1.930 was released on August 18. According to the official advisory:
Webmin releases between these versions contain a vulnerability that allows remote command execution! Version 1.890 is vulnerable in a default install and should be upgraded immediately – other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.
Either way, upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920.