Mystery over subtle compromise that lay dormant for more than 12 months

A backdoor mechanism in Webmin, a popular web-based system configuration tool for servers, has been uncovered – more than a year after unidentified miscreants first established it.

The security breach offered a mechanism for miscreants to take over servers running Webmin, compromising any systems managed through vulnerable installs of the control panel software in the process.

In a security notice to users, Webmin’s developers “strongly recommended” upgrading all versions from 1.882 through to 1.921 of the software in response to the newly discovered remote code execution (RCE) vulnerability.

“Webmin releases between these versions contain a vulernability [sic] that allows remote command execution! Version 1.890 is vulnerable in a default install and should be upgraded immediately – other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default,” developers said.

“Either way, upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run.”

Turkish security researcher Özkan Mustafa Akkuş uncovered what initially seemed like a serious flaw in the Webmin source code before presenting his findings at DEF CON hacker convention in Las Vegas earlier this month.

Subsequent digging into this vulnerability (CVE-2019-15107) revealed that it arose as a result of “malicious code injected into compromised build infrastructure”, rather than security bugs introduced by the developers themselves.

As a result, Webmin packages offered through SourceForge were compromised. GitHub versions of the code are thought to have been clean.

This implies that either machines used to upload Webmin code to SourceForge were compromised or miscreants had hacked into Webmin’s SourceForge account.

SourceForge president Logan Abbott sought to allay fears of wider problems by publicly saying the problem was limited to Webmin.

“SourceForge was hosting the packaged releases exactly as uploaded by the project admins, he said on Twitter.

“We have reviewed the situation and have found no evidence of tampering or changes occurring on the SourceForge platform. Looks like admins removed vulnerability in subsequent uploads.”