Webmin, the web-based interface for system administration for Unix and Linux, had a remote code execution vulnerability deliberately introduced into its source code in April 2018.  It was only publicised in August 2019 when a zero day exploit was published at DefCon 27. Webmin has been installed over a million times worldwide.

The malicious code change deliberately introduced a remote code execution vulnerability into the password_change.cgi module of Webmin.  The change was first introduced in April 2018 in version 1.890. It was reverted by happy accident by the developers and then re-introduced by the attackers in a modified form into the source code in July 2018 used for the 1.900 release of Webmin.  The exploit code has been removed from version 1.930 released in August 2019.

The changed code was published on the project’s Sourceforge pages (the official download location) whereas the Github versions were not modified.  This implies that the ‘chain of custody’ of the code from the source in Github through the build servers onto the published download location on Sourceforge was compromised.

The developers have identified that their build server made use of a local cached copy of the source rather than pulling from Github for each compilation. This cache was modified by the attackers to introduce the vulnerabilities, and the timestamp of the files was modified to prevent the changes being noticed.

Why source code security is important

This incident provides a useful reminder of the importance of ensuring development systems and source code repositories are secure and protected from unauthorised changes.  The vulnerability introduced into the Webmin utility was active for over a year before it was identified and patched by the developers.

It is easy to make the assumption that in-house code is trusted and safe.  However, if the source code is not secure, it could be compromised by an attacker in order to introduce deliberate vulnerabilities and malfunctions which are then exploited at a later date.

Wise security managers ask themselves:

How do I know that no unexpected changes have been introduced into a new version of the application delivered to production servers by the development team?

This is especially important if open-source libraries or even commercial third-party libraries or components are compiled into your applications.

The PCI-DSS standard recognises these risks with requirement 6 to ‘Develop and Maintain Secure Systems.’

How to mitigate the Webmin vulnerability

If you are running version 1.900 of Webmin, the RCE is only active if you have configured

your Webmin installation to have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.

The vulnerability is fixed in version 1.930 Released in August 2019.

A blog post from the developer of Webmin includes some indicators of compromise to look for in your system logs.