Detections
Analytics

FreeBSD : webmin -- unauthenticated remote code execution (ece65d3b-c20c-11e9-8af4-bcaec55be5e5)

critical Nessus Plugin ID 127954

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Joe Cooper reports :

I've rolled out Webmin version 1.930 and Usermin version 1.780 for all repositories. This release includes several security fixes, including one potentially serious one caused by malicious code inserted into Webmin and Usermin at some point on our build infrastructure. We're still investigating how and when, but the exploitable code has never existed in our github repositories, so we've rebuilt from git source on new infrastructure (and checked to be sure the result does not contain the malicious code).

I don't have a changelog for these releases yet, but I wanted to announce them immediately due to the severity of this issue. To exploit the malicious code, your Webmin installation must have Webmin
-> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.

This release addresses CVE-2019-15107, which was disclosed earlier today. It also addresses a handful of XSS issues that we were notified about, and a bounty was awarded to the researcher (a different one) who found them.

Solution

Update the affected packages.

See Also

https://virtualmin.com/node/66890

http://www.nessus.org/u?a23b81f6

Plugin Details

Severity: Critical

ID: 127954

File Name: freebsd_pkg_ece65d3bc20c11e98af4bcaec55be5e5.nasl

Version: 1.7

Type: local

Published: 8/20/2019

Updated: 3/29/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-15107

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:usermin, p-cpe:/a:freebsd:freebsd:webmin, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/17/2019

Vulnerability Publication Date: 8/17/2019

CISA Known Exploited Vulnerability Due Dates: 4/15/2022

Exploitable With

Metasploit (Webmin password_change.cgi Backdoor)

Reference Information

CVE: CVE-2019-15107