Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com

› Webmin (CVE-2019-15107) - Zero Day Remote Exploit
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Webmin (CVE-2019-15107) - Zero Day Remote Exploit

We have been made aware of a remote exploit in Webmin 1.920 (latest) that would allow users to run arbitrary commands.

The function that is being exploited is related to the user password change that appears to be enabled by default. It is recommended that you disable that function and also temporarily disable password_change.cgi at the file system level until a patch has been released.

Please monitor the change log for updates:

http://www.webmin.com/changes.html

At the time of writing this, no patch has been issued to our knowledge!

source : RACK911 Labs security mail

My list of reliable providers :
Ramnode : HostHatch : Dediserve : Serverica : CloudCone : OnePoundWebHosting : Vultr : Lunanode : Few more under testing!

Comments

  • Ilia Rostovtsev - 3 hours ago
    This bug would only affect the systems that had password change feature on, which is off by default.
    All of the issues have been fixed right now and the new release is being prepared and will be ready after we run final tests.
    It's coming..
    Thank you for posting it!

    They patched it and the update will be released in a few hours. https://sourceforge.net/p/webadmin/discussion/600155/thread/60975bddad/

    Thanked by 3mrTom minus79 coreflux
  • niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    I repeat, RAID is not backup | Looking for a developer for your next project? - Hire me

  • @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

  • WebProjectWebProject Member, Provider

    @Zerpy said:

    @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

    Similar to cPanel the developers didn’t know that somehow the dB of default backup system can be corrupted and it will be impossible to backup any accounts on cPanel server

    Thanked by 1kkrajk
    VPS Price Match Guarantee on: All our range of DDOS protected XEN-HVM VPS Plans
    Are you looking for best price for self-managed VPS? See WebProVPS website for more details.
  • riotriot Member

    @angstrom said:

    It's enabled by default

    No, it isn't, and hasn't been for years, if not forever. What makes you think it is?

  • @riot said:

    @angstrom said:

    It's enabled by default

    No, it isn't, and hasn't been for years, if not forever. What makes you think it is?

    Perhaps I'm mistaken. Are we talking about the facility "Change Password" for users to change their password in Usermin? (I guess not.)

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • riotriot Member

    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

  • @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Initially, it sounded as though the exploit simply required the facility "Change Password" to be enabled for users (which is enabled by default), but this facility alone isn't sufficient for the exploit to be carried out.

    Thanked by 2vimalware FHR

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • @angstrom said:

    @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Yes, I just read the release and breathed some relief.
    I actually had fun Sunday plans. 😅

    Thanked by 1angstrom

    USA storage KVM €25/yr 1G, 500GB (RAID6)
    (affiliate for 🥰 ) https://clients.inceptionhosting.com/aff.php?aff=401&pid=205

  • @vimalware said:

    @angstrom said:

    @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Yes, I just read the release and breathed some relief.
    I actually had fun Sunday plans. 😅

    And don't forget to update Usermin as well:

    Webmin -> Usermin Configuration -> Upgrade Usermin

    Thanked by 1vimalware

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • @angstrom said:

    @vimalware said:

    @angstrom said:

    @riot said:
    It's probably easier to just link to the Webmin forum post: https://www.virtualmin.com/node/66890

    Ah, okay, I hadn't yet looked more closely at the matter, but it's really the option "Prompt users with expired passwords to enter a new one" that needs to be set for the exploit to be carried out, and this option is indeed not set by default.

    Yes, I just read the release and breathed some relief.
    I actually had fun Sunday plans. 😅

    And don't forget to update Usermin as well:

    Webmin -> Usermin Configuration -> Upgrade Usermin

    Just a heads-up:

    According to the main Webmin web page, http://webmin.com/index.html , Usermin has been updated to v1.780, but according to the Usermin web page, http://webmin.com/usermin.html , Usermin is still at v1.770. Presumably, this is a temporary discrepancy, so one should look/try again later in the day or tomorrow.

    So far, I was able to update from Usermin v1.760 to v1.770.

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • FHRFHR Member, Provider

    @Zerpy said:

    @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

    I'm guessing it's not enabled by default in the upstream package. But as you very well know, various distributions like to make changes when they package the software.

    SkylonHost - affordable hourly-billed KVM VPS in Prague, CZ!
    Featuring own high performance network AS202297 | RIPE NCC member | Contact us for IPs/ASNs

  • angstrom said: It's enabled by default

    No, at least for my installations. You have to enable it manually.

    angstrom said: So far, I was able to update from Usermin v1.760 to v1.770.

    I just update it and it went to 1.780. Maybe they are on updating all of their servers containing the installation files atm?

  • @FHR, @jvnadr: See my comment above ( https://www.lowendtalk.com/discussion/comment/3013323/#Comment_3013323 )

    @jvnadr: Will try Usermin again -- I was probably a bit early.

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • angstromangstrom Member
    edited August 2019

    @jvnadr said: angstrom said: So far, I was able to update from Usermin v1.760 to v1.770.

    I just update it and it went to 1.780. Maybe they are on updating all of their servers containing the installation files atm?

    I still can't update to v1.780. Oh, well, I'll recheck later.

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • jvnadr said: They patched it and the update will be released in a few hours. https://sourceforge.net/p/webadmin/discussion/600155/thread/60975bddad/

    This is the reason i love Webmin and more VirtualMin. Long live Virtualmin!

    Thanked by 1vimalware

    gamesnostalgia abandonware web directory

  • @Zerpy said:

    @angstrom said:

    @sdglhm said:

    niceboy said: user password change that appears to be enabled by default

    jvnadr said: This bug would only affect the systems that had password change feature on, which is off by default.

    It's enabled by default

    It's concerning that a developer of Webmin doesn't even know what defaults they deliver, or even checking it before commenting.

    Which developer are you referring to?

  • @angstrom said:

    @jvnadr said: angstrom said: So far, I was able to update from Usermin v1.760 to v1.770.

    I just update it and it went to 1.780. Maybe they are on updating all of their servers containing the installation files atm?

    I still can't update to v1.780. Oh, well, I'll recheck later.

    Just as a follow-up: today, I was able to update to v1.780.

    Thanked by 1jvnadr

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

Sign In or Register to comment.