Administrators using the open-source Webmin interface for managing Unix and Linux servers are being urged to update to the latest version after the discovery of a critical vulnerability.
The safe version is 1.930. In addition to releasing an updated version of Webmin, project developers also released Usermin 1.780.
Finding the bug, a remote code execution vulnerability (CVE-2019-15107) in the way expired passwords are handled, isn’t the big news: The big news is the hole was created by an attacker over a year ago who inserted a backdoor into the developer’s code. It remained for 1.882 through 1.921.
It’s another example of hackers getting into the supply chain to inject vulnerabilities into software. The most damaging example was the 2017 injection of the NotPetya destructive malware into the M.E. Doc tax software made by a Ukrainian firm. Not only did it hit those in Ukraine, it spread to Windows computers around the world.
More recently someone compromised the updater software for Asus computers to send out malicious updates to some computers made by that firm.
Webmin is a user interface for overseeing functions including users and groups, databases, BIND, Apache, Postfix, Sendmail, QMail, backups, firewalls, monitoring and alerts.
According to The Hacker News, word about the vulnerability spread after a presentation on it 10 days ago at the annual DefCon conference in Las Vegas. It’s common for security researchers to let a company know a vulnerability has been found to give it time to plug the hole and not allow the bug to be exploited. However, Webmin project developers were caught off guard, according to the report.
Joe Cooper, one of the Webmin project’s developers, called the disclosure at DefCon “unethical” in a blog over the weekend, announcing the release of a clean version of the software.
Cooper said to exploit the malicious code in the affected versions – 1.882 through 1.921 – a Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.
However, according to The Hackert News, another security researcher said that Webmin version 1.890 is affected in the default configuration. Hackers apparently modified the source code of that version.