Backdoor found in Webmin, a popular web-based utility for managing Unix servers (Aug 20, 2019)
A backdoor with the potential to allow remote code execution with root privileges on machines running Webmin, a remote Unix management application. The vulnerability, “CVE-2019-15107,” discovered by researcher Özkan Mustafa Akkuş was thought to allow unauthenticated code execution, however after DEF CON, the cyber security conference, further research indicates a serious security flaw. Using a password expiration policy, an attacker can add shell commands inside an HTTP request to send the Webmin server, taking over a Webmin install. Webmin claims the vulnerability was malicious code injected into the infrastructure and that only packages downloaded from SourceForge are affected, with GitHub downloads unaffected.
Recommendation: It is strongly recommended that users upgrade to version 1.930 of Webmin. Otherwise, users are recommended to edit /etc/webmin/miniserv.conf , remove passwd_mode= line and run /etc/webmin/restart , if running versions 1.900 to 1.920.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.