Webmin users urged to install latest version to plug vulnerability

Administrators using the open-source Webmin interface for managing Unix and Linux servers are being urged to update to the latest version after the discovery of a critical vulnerability.

The safe version is 1.930. In addition to releasing an updated version of Webmin, project developers also released Usermin 1.780.

Finding the bug, a remote code execution vulnerability (CVE-2019-15107) in the way expired passwords are handled, isn’t the big news: The big news is the hole was created by an attacker over a year ago who inserted a backdoor into the developer’s code. It remained for 1.882 through 1.921.

It’s another example of hackers getting into the supply chain to inject vulnerabilities into software. The most damaging example was the 2017 injection of the NotPetya destructive malware into the M.E. Doc tax software made by a Ukrainian firm. Not only did it hit those in Ukraine, it spread to Windows computers around the world.

More recently someone compromised the updater software for Asus computers to send out malicious updates to some computers made by that firm.

Webmin is a user interface for overseeing functions including users and groups, databases, BIND, Apache, Postfix, Sendmail, QMail, backups, firewalls, monitoring and alerts.

According to The Hacker News, word about the vulnerability spread after a presentation on it 10 days ago at the annual DefCon conference in Las Vegas. It’s common for security researchers to let a company know a vulnerability has been found to give it time to plug the hole and not allow the bug to be exploited. However, Webmin project developers were caught off guard, according to the report.

Joe Cooper, one of the Webmin project’s developers, called the disclosure at DefCon “unethical” in a blog over the weekend, announcing the release of a clean version of the software.

Cooper said to exploit the malicious code in the affected versions – 1.882 through 1.921 – a Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.

However, according to The Hackert News, another security researcher said that Webmin version 1.890 is affected in the default configuration. Hackers apparently modified the source code of that version.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now