Security Update – Webmin

By Tarun Dua
19th, August 2019

Webmin – Remote Command Execution Vulnerability

We have been made aware of a remote exploit in Webmin versions 1.882 to 1.921 that will allow users to run arbitrary commands. The parameter old in password_change.cgi contains a command injection vulnerability that can be exploited for remote command execution.

Version 1.890 is vulnerable in its default install whereas the other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.

Mitigation

<p><pre><code>The patched version 1.930 is released by Webmin. Webmin version 1.890 is vulnerable in a default install and should be upgraded immediately. For versions 1.900 to 1.920 if an upgrade is not possible alternately, they can edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, restart the webmin service by running /etc/webmin/restart.</code></pre></p>
<p><pre><code>E2E Networks encourages its customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.</code></pre></p>
<h3><strong>Official Security Advisories</strong></h3>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107</a></p>
<p><pre><code>If you have any queries regarding the patching/updates on E2E Networks infrastructure, please write in the comments below.</code></pre></p>

India's Largest NSE Listed Cloud Provider

Top 10 new features in SQL Server 2019

5 Key Factors to Focus While Taking Decisions on Implementing ERP on Cloud

Sun Tzu’s Awesome Tips On Cpu Or Gpu For Inference

Security Update – Webmin

Mitigation