Attacker Value
Very High
(7 users assessed)
Exploitability
Very High
(7 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
11

Webmin password_change.cgi Command Injection

Disclosure Date: August 16, 2019 Last updated February 28, 2020
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Add Assessment

12
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This was a supply chain attack: http://www.webmin.com/exploit.html. The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.

Note that SourceForge installs are affected, but GitHub checkouts aren’t.

ETA: Metasploit added an exploit module.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is a terrible situation for any development team. A hacker took over a server that managed webmin code and changed the code in a subtle way to allow them (or others) to execute commands as root on computers running Webmin. It took nearly a year and a half for the attack to be discovered and fixed.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

I tested Webmin v1.900 and the password change page was not available by default, however it is a reasonable option to have.
A valid username is not needed for the exploit, although the command injection did not work for me when I used the valid username root.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This vulnerability is very easy to exploit – without the need for any tools specialized for this attack.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

High Vulnerability

General Information

Additional Info

Technical Analysis