A year-old dormant malicious remote code execution vulnerability discovered in Webmin

On August 17, 2019, the Webmin team announced the release of Webmin 1.930 and Usermin 1.780. These releases address a newly discovered remote command execution vulnerability found in Webmin versions 1.890 through 1.920. This vulnerability has been present for more than a year and was introduced by a malicious third party.

Webmin is an interface for system administration for Unix. As the name suggests, it is web-based. Webmin allows you to manage a system either from the console or remotely.

The newly discovered vulnerability is interesting because it is not present in every distribution of Webmin. Malicious code was injected into a compromised infrastructure build associated with the Sourceforge distribution point. Sourceforge is a software platform that distributes both open source and commercial software products to millions of users. Whether the compromised machine is at Sourceforge or on contributor’s machine is not yet known.

Because the vulnerability was limited to the Sourceforge distribution, it was able to remain hidden for quite a while. If you only reviewed the problematic file in their GitHub repository, you would never know the project had been compromised. More than likely this limited the reach of the vulnerability, but allowed for the vulnerability to persist longer than it might have otherwise. This vulnerability dates back to at least July 2018 (the release date of version 1.890).

Remote command execution vulnerability is found in Webmin versions 1.882 to 1.921. Of most interest is version 1.890, because the default installation is vulnerable. If you are using this version, it is important to upgrade right away. Other versions are vulnerable to remote command execution if the developer has enabled changing expired passwords, which is not the default behavior.

Another interesting feature of this case includes the fact that the vulnerability was not responsibly disclosed to the maintainers. This  puts the maintainers under significant pressure to fix the problem very quickly. This is not an ideal scenario. Snyk is happy to help any security researcher properly disclose vulnerabilities, while the researcher still gets credit. You can find more information about that program here.

What should you do?

Upgrading to 1.930 is strongly recommended regardless of whether you are on the most vulnerable version (1.890) or one of the other compromised versions. If you are unable to upgrade and you are using version 1.900 to 1.9200 you can fix the vulnerability by doing the following.

1. Edit /etc/webmin/miniserv.conf to remove the line passwd_mode=line.
2. Run /etc/webmin/restart

Conclusion

Congratulations to the Webmin team for responding quickly to the security incident. Don’t let their effort go to waste by failing to upgrade your installation.

Do you know what known vulnerabilities are in your open source dependencies? Try Snyk today to help you find and fix vulnerabilities.

We also recommending reading up on command injections attacks to understand how they work, what are the risks and how to prevent them.