Webmin is a popular web-based interface that simplifies the management of Unix or Linux-based operating systems and has been a preferred choice among system administrators since the late 1990s. It provides an easy-to-use interface for managing various system configurations, such as user accounts, network settings, and more.
However, despite its many benefits, Webmin is also vulnerable to security exploits that can be exploited by attackers to gain unauthorized access or execute arbitrary code.
-
One example of an attack that exploited versions 1.882 to 1.921 of Webmin is the "Password Change Functionality Attack". In this attack, the attacker sends a specially crafted HTTP POST request to the password_change.cgi script, resulting in the attacker gaining total control of the vulnerable machine and being able to execute any destructive task, such as stealing confidential information or installing malware.
-
Another significant incident involving Webmin occurred in May 2019, when a critical vulnerability with the identifier CVE-2019-12840 was discovered in versions 1.890 to 1.920. This vulnerability allowed attackers to execute arbitrary commands with root privileges on a Webmin server that had the "File Manager" feature enabled.
What happened
In Webmin versions 1.890 to 1.920, a security vulnerability known as CVE-2019-15231 was discovered. This vulnerability allowed attackers to execute arbitrary commands with root privileges on a Webmin server by exploiting an error in the password change feature. The vulnerability was addressed in Webmin version 1.930, which was released in September 2019, and users were advised to upgrade to the latest version to avoid the exploit.
This vulnerability affected versions 1.882 to 1.921 and was due to a flaw in the "password_change.cgi" script. Attackers could run any commands they wanted on the target network while logged in as root. To exploit the vulnerability, attackers used a specially crafted HTTP POST request to the server, taking advantage of how Webmin handled user input. The script stored the password in a variable without validation or sanitization, allowing attackers to craft a request with shell commands in the password field. When executed, Webmin would run these commands with root privileges, giving attackers complete control over the system.
The vulnerability in Webmin was widespread and affected a significant number of Linux and Unix systems that were running vulnerable versions of the software. Attackers could take advantage of this vulnerability to gain complete control over a vulnerable system, which would enable them to carry out a range of malicious activities. Such activities include stealing sensitive data, modifying system configurations, or launching other types of attacks.
How to stop attacks like the Password Change Functionality Attack
There are some things you can additionally do to stay safe:
-
Update Webmin to the most recent release.
-
Disable the password change functionality in Webmin by either removing the password_change.cgi script from the Webmin installation or blocking external access to the script.
Summary
The vulnerability CVE-2019-15231 in Webmin versions 1.882 to 1.921 allowed attackers to execute arbitrary commands on a vulnerable system with root privileges. Attackers had complete control over the system due to the flaw in the password_change.cgi script, which allowed them to send a specially crafted HTTP POST request to the vulnerable server. To mitigate the vulnerability, Packagecloud provided effective solutions, including updating the Webmin version, disabling the password change functionality, and keeping the software up to date. By taking these steps, system administrators can ensure the security of their systems and prevent attacks from exploiting known vulnerabilities.