A security researcher discovered a backdoor in the popular web-based utility used to remotely manage Unix-based servers, to include Linux, FreeBSD and OpenBSD systems.
A Turkey-based researcher, Özkan Mustafa Akkuş, found the vulnerability and presented his findings at DEF CON 27 (AppSec Village) security conference held in Las Vegas earlier this month.
Webmin provided a summary of the remote code execution vulnerability CVE-2019-15107 in a recent advisory:
“Webmin releases between these versions contain a vulnerability that allows remote command execution! Version 1.890 is vulnerable in a default install and should be upgraded immediately – other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.”
Over the past weekend, other researchers later found that malicious code was injected into compromised build infrastructure. To add, the backdoor in Webmin’s code remained hidden in the project’s source code for more than a year.
Consequently, the malicious code was present in Webmin packages available for download via SourceForge, although not present on GitHub.
Webmin developer Joe Cooper provided additional details on the issue and researcher in a blog post.
“We received no advance notification of it, which is unusual and unethical on the part of the researcher who discovered it. But, in such cases there’s nothing we can do but fix it ASAP,” Cooper noted.
Vulnerability mitigation
Webmin strongly recommends admins upgrade to Webmin version 1.930 and Usermin version 1.780 for all repositories. As an alternative, users running versions 1.900 to 1.920 can edit /etc/webmin/miniserv.conf and remove the passwd_mode= line. Finally, run /etc/webmin/restart.