Webmin - Remote Command Execution Vulnerability
-
Monday, 19th August, 2019
-
16:02pm
We have been made aware of a remote exploit in Webmin versions 1.882 to 1.921 that would allow users to run arbitrary commands. The parameter old in password_change.cgi contains a command injection vulnerability that can be exploited for remote command execution.
Version 1.890 is vulnerable in its default install whereas the other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.
Mitigation
The patched version 1.930 is released by Webmin. Webmin version 1.890 is vulnerable in a default install and should be upgraded immediately. For versions 1.900 to 1.920 if an upgrade is not possible alternately, they can edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, restart the webmin service by running /etc/webmin/restart.
We at E2E Networks always encourage its customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.
Official Security Advisories
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107