FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

webmin -- unauthenticated remote code execution

Affected packages
webmin < 1.930
usermin < 1.780

Details

VuXML ID ece65d3b-c20c-11e9-8af4-bcaec55be5e5
Discovery 2019-08-17
Entry 2019-08-17

Joe Cooper reports:

I've rolled out Webmin version 1.930 and Usermin version 1.780 for all repositories. This release includes several security fixes, including one potentially serious one caused by malicious code inserted into Webmin and Usermin at some point on our build infrastructure. We're still investigating how and when, but the exploitable code has never existed in our github repositories, so we've rebuilt from git source on new infrastructure (and checked to be sure the result does not contain the malicious code).

I don't have a changelog for these releases yet, but I wanted to announce them immediately due to the severity of this issue. To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.

This release addresses CVE-2019-15107, which was disclosed earlier today. It also addresses a handful of XSS issues that we were notified about, and a bounty was awarded to the researcher (a different one) who found them.

References

CVE Name CVE-2019-15107
URL https://virtualmin.com/node/66890