Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


› Webmin (CVE-2019-15107) - Zero Day Remote Exploit
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Webmin (CVE-2019-15107) - Zero Day Remote Exploit

We have been made aware of a remote exploit in Webmin 1.920 (latest) that would allow users to run arbitrary commands.

The function that is being exploited is related to the user password change that appears to be enabled by default. It is recommended that you disable that function and also temporarily disable password_change.cgi at the file system level until a patch has been released.

Please monitor the change log for updates:

http://www.webmin.com/changes.html

At the time of writing this, no patch has been issued to our knowledge!

source : RACK911 Labs security mail

Comments

  • Ilia Rostovtsev - 3 hours ago
    This bug would only affect the systems that had password change feature on, which is off by default.
    All of the issues have been fixed right now and the new release is being prepared and will be ready after we run final tests.
    It's coming..
    Thank you for posting it!

    They patched it and the update will be released in a few hours. https://sourceforge.net/p/webadmin/discussion/600155/thread/60975bddad/

    Thanked by 3mrTom minus79 coreflux
  • niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

  • angstromangstrom Moderator

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

  • @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

  • WebProjectWebProject Host Rep, Veteran

    @Zerpy said:

    @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

    Similar to cPanel the developers didn’t know that somehow the dB of default backup system can be corrupted and it will be impossible to backup any accounts on cPanel server

    Thanked by 1kkrajk
  • riotriot Member

    @angstrom said:

    It's enabled by default

    No, it isn't, and hasn't been for years, if not forever. What makes you think it is?

  • angstromangstrom Moderator

    @riot said:

    @angstrom said:

    It's enabled by default

    No, it isn't, and hasn't been for years, if not forever. What makes you think it is?

    Perhaps I'm mistaken. Are we talking about the facility "Change Password" for users to change their password in Usermin? (I guess not.)

  • riotriot Member

    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

  • angstromangstrom Moderator

    @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Initially, it sounded as though the exploit simply required the facility "Change Password" to be enabled for users (which is enabled by default), but this facility alone isn't sufficient for the exploit to be carried out.

    Thanked by 2vimalware FHR
  • @angstrom said:

    @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Yes, I just read the release and breathed some relief.
    I actually had fun Sunday plans. 😅

    Thanked by 1angstrom
  • angstromangstrom Moderator

    @vimalware said:

    @angstrom said:

    @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Yes, I just read the release and breathed some relief.
    I actually had fun Sunday plans. 😅

    And don't forget to update Usermin as well:

    Webmin -> Usermin Configuration -> Upgrade Usermin

    Thanked by 1vimalware
  • angstromangstrom Moderator

    @angstrom said:

    @vimalware said:

    @angstrom said:

    @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Yes, I just read the release and breathed some relief.
    I actually had fun Sunday plans. 😅

    And don't forget to update Usermin as well:

    Webmin -> Usermin Configuration -> Upgrade Usermin

    Just a heads-up:

    According to the main Webmin web page, http://webmin.com/index.html , Usermin has been updated to v1.780, but according to the Usermin web page, http://webmin.com/usermin.html , Usermin is still at v1.770. Presumably, this is a temporary discrepancy, so one should look/try again later in the day or tomorrow.

    So far, I was able to update from Usermin v1.760 to v1.770.

  • FHRFHR Member, Host Rep

    @Zerpy said:

    @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

    I'm guessing it's not enabled by default in the upstream package. But as you very well know, various distributions like to make changes when they package the software.

  • angstrom said: It's enabled by default

    No, at least for my installations. You have to enable it manually.

    angstrom said: So far, I was able to update from Usermin v1.760 to v1.770.

    I just update it and it went to 1.780. Maybe they are on updating all of their servers containing the installation files atm?

  • angstromangstrom Moderator

    @FHR, @jvnadr: See my comment above ( https://www.lowendtalk.com/discussion/comment/3013323/#Comment_3013323 )

    @jvnadr: Will try Usermin again -- I was probably a bit early.

  • angstromangstrom Moderator
    edited August 2019

    @jvnadr said: angstrom said: So far, I was able to update from Usermin v1.760 to v1.770.

    I just update it and it went to 1.780. Maybe they are on updating all of their servers containing the installation files atm?

    I still can't update to v1.780. Oh, well, I'll recheck later.

  • jvnadr said: They patched it and the update will be released in a few hours. https://sourceforge.net/p/webadmin/discussion/600155/thread/60975bddad/

    This is the reason i love Webmin and more VirtualMin. Long live Virtualmin!

    Thanked by 1vimalware
  • @Zerpy said:

    @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

    Which developer are you referring to?

  • angstromangstrom Moderator

    @angstrom said:

    @jvnadr said: angstrom said: So far, I was able to update from Usermin v1.760 to v1.770.

    I just update it and it went to 1.780. Maybe they are on updating all of their servers containing the installation files atm?

    I still can't update to v1.780. Oh, well, I'll recheck later.

    Just as a follow-up: today, I was able to update to v1.780.

    Thanked by 1jvnadr
Sign In or Register to comment.