Description

Webmin version 1.890 was released with a backdoor that could allow anyone with knowledge of it to execute commands as root. Versions 1.900 to 1.920 also contained a backdoor using similar code, but it was not exploitable in a default Webmin install. Neither of these were accidental bugs - rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability.

Remediation

Upgrade to Webmin version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart.

References

The stories behind CVE-2019-15107

Webmin Security Alerts

Webmin 1.890 Exploit - What Happened?

Related Vulnerabilities

WordPress Plugin Product Lister for Walmart Remote Code Execution (1.0.1)

Security update: Hotfix available for ColdFusion

Flex BlazeDS AMF Deserialization RCE

Code Evaluation (Ruby)

Apache Log4j2 JNDI Remote Code Execution (delayed)

Severity

High

Classification

CVE-2019-15107 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution