We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityVulnerabilities

A year-old dormant malicious remote code execution vulnerability discovered in Webmin

Hayley DenbraverAugust 20, 2019

On August 17, 2019, the Webmin team announced the release of Webmin 1.930 and Usermin 1.780. These releases address a newly discovered remote command execution vulnerability found in Webmin versions 1.890 through 1.920. This vulnerability has been present for more than a year and was introduced by a malicious third party.

Webmin is an interface for system administration for Unix. As the name suggests, it is web-based. Webmin allows you to manage a system either from the console or remotely.

The newly discovered vulnerability is interesting because it is not present in every distribution of Webmin. Malicious code was injected into a compromised infrastructure build associated with the Sourceforge distribution point. Sourceforge is a software platform that distributes both open source and commercial software products to millions of users. Whether the compromised machine is at Sourceforge or on contributor’s machine is not yet known.

Because the vulnerability was limited to the Sourceforge distribution, it was able to remain hidden for quite a while. If you only reviewed the problematic file in their GitHub repository, you would never know the project had been compromised. More than likely this limited the reach of the vulnerability, but allowed for the vulnerability to persist longer than it might have otherwise. This vulnerability dates back to at least July 2018 (the release date of version 1.890).

Remote command execution vulnerability is found in Webmin versions 1.882 to 1.921. Of most interest is version 1.890, because the default installation is vulnerable. If you are using this version, it is important to upgrade right away. Other versions are vulnerable to remote command execution if the developer has enabled changing expired passwords, which is not the default behavior.

Another interesting feature of this case includes the fact that the vulnerability was not responsibly disclosed to the maintainers. This  puts the maintainers under significant pressure to fix the problem very quickly. This is not an ideal scenario. Snyk is happy to help any security researcher properly disclose vulnerabilities, while the researcher still gets credit. You can find more information about that program here.

What should you do?

Upgrading to 1.930 is strongly recommended regardless of whether you are on the most vulnerable version (1.890) or one of the other compromised versions. If you are unable to upgrade and you are using version 1.900 to 1.9200 you can fix the vulnerability by doing the following.

  1. Edit /etc/webmin/miniserv.conf to remove the line passwd_mode=line.
  2. Run /etc/webmin/restart

Conclusion

Congratulations to the Webmin team for responding quickly to the security incident. Don’t let their effort go to waste by failing to upgrade your installation.

Do you know what known vulnerabilities are in your open source dependencies? Try Snyk today to help you find and fix vulnerabilities.

We also recommending reading up on command injections attacks to understand how they work, what are the risks and how to prevent them.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom