Remote command injection in Webmin



Published: 2019-08-16 | Updated: 2023-05-09
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-15231
CVE-2019-15107
CWE-ID CWE-77
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
Subscribe
Webmin
Web applications / Remote management & hosting panels

Vendor Webmin

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated: 21.11.2019
Added information about in the wild exploitation of the vulnerability, changed CVSS score.
Updated: 14.01.2020
Added link to Metasploit module.

1) Command Injection

EUVDB-ID: #VU20412

Risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2019-15231,CVE-2019-15107

CWE-ID: CWE-77 - Command injection

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary commands on a targeted system.

The vulnerability exists due to insufficient validation of user-supplied input in the "password_change.cgi" script. A remote attacker can send a specially crafted HTTP request that submits malicious input to the password reset request form page and execute arbitrary commands with root privileges.

Note, this vulnerability is being exploited in the wild by the Roboto botnet.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Webmin: 1.882 - 1.921

External links

http://www.webmin.com/security.html
http://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_backdoor.rb


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###