Remote command injection in Webmin

Published: 2019-08-16 | Updated: 2023-05-09

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-15231 CVE-2019-15107
CWE-ID	CWE-77
Exploitation vector	Network
Public exploit	Vulnerability #1 is being exploited in the wild.
Vulnerable software	Webmin Web applications / Remote management & hosting panels
Vendor	Webmin

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated: 21.11.2019

Added information about in the wild exploitation of the vulnerability, changed CVSS score.

Updated: 14.01.2020

Added link to Metasploit module.

1) Command Injection

EUVDB-ID: #VU20412

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2019-15231,CVE-2019-15107

CWE-ID: CWE-77 - Command injection

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary commands on a targeted system.

The vulnerability exists due to insufficient validation of user-supplied input in the "password_change.cgi" script. A remote attacker can send a specially crafted HTTP request that submits malicious input to the password reset request form page and execute arbitrary commands with root privileges.

Note, this vulnerability is being exploited in the wild by the Roboto botnet.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Webmin: 1.882 - 1.921

CPE2.3

External links

https://www.webmin.com/security.html
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_backdoor.rb

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.