Webmin Backdoored for Over a Year

Webmin, the open source web-based interface for managing Linux and UNIX systems, contained a remote code execution vulnerability for more than a year and it’s believed to be an intentional backdoor.

The vulnerability, tracked as CVE-2019-15107, was disclosed at the recent DEFCON hacker conference, and Webmin developers were not notified of its existence before the details were made public.

The flaw is related to a feature designed for changing expired passwords and it allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.

The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.

“To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution,” Webmin developers explained.

Webmin developers believe this was a backdoor planted by malicious actors in the code on purpose after compromising build infrastructure. An investigation into this incident is ongoing.

Interestingly, the flaw appears to have existed in official downloads and the SourceForge repository, but the code hosted on GitHub was reportedly clean. ..