Webmin – Remote Command Execution Vulnerability
We have been made aware of a remote exploit in Webmin versions 1.882 to 1.921 that will allow users to run arbitrary commands. The parameter old in password_change.cgi contains a command injection vulnerability that can be exploited for remote command execution.
Version 1.890 is vulnerable in its default install whereas the other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.
Mitigation
<p><pre><code>The patched version 1.930 is released by Webmin. Webmin version 1.890 is vulnerable in a default install and should be upgraded immediately. For versions 1.900 to 1.920 if an upgrade is not possible alternately, they can edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, restart the webmin service by running /etc/webmin/restart.</code></pre></p><p><pre><code>E2E Networks encourages its customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.</code></pre></p><h3><strong>Official Security Advisories</strong></h3><p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107</a></p><p><pre><code>If you have any queries regarding the patching/updates on E2E Networks infrastructure, please write in the comments below.</code></pre></p>
