SoylentNews is people
SoylentNews
from the creeping-around-the-back-door dept.
Submitted via IRC for SoyCow2718
Webmin, the open source web-based interface for managing Linux and UNIX systems, contained a remote code execution vulnerability for more than a year and it's believed to be an intentional backdoor.
The vulnerability, tracked as CVE-2019-15107, was disclosed at the recent DEFCON hacker conference, and Webmin developers were not notified of its existence before the details were made public.
The flaw is related to a feature designed for changing expired passwords and it allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.
[...] A Shodan search shows over 215,000 internet-exposed Webmin instances, mostly located in the United States, France and Germany. However, there are roughly 15,000 results for searches of version 1.890, which is vulnerable in the default configuration.
Source: https://www.securityweek.com/webmin-backdoored-over-year
(Score: 4, Informative) by FatPhil on Wednesday August 21 2019, @01:22PM (2 children)
"""
In a blog post published today, Cooper said that the team is still investigating how and when the backdoor was introduced, but confirmed that the official Webmin downloads were replaced by the backdoored packages only on the project's SourceForge repository, and not on the Webmin's GitHub repositories.
"""
So this is nothing to do with many eyes, it's to do with unreliable download sources.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by jmichaelhudsondotnet on Wednesday August 21 2019, @04:39PM (1 child)
Isn't that terrifying? That someone working for sourceforge or who had admin creds is roaming around comprimising software packages?
Not just that the company of soureforge could be corrupt, but that a person is so evil that this is what they wake up in the morning and do.
I'll say it again, there is a type of organization that can make trustworthy things and we should be looking for that type of organization before we start installing.
This word 'opaque' keeps coming up as a bad thing when it comes to trustworthiness...
(Score: 2, Informative) by ThatIrritatingGuy on Wednesday August 21 2019, @05:34PM
Head developer admitted, that an earlier version of exploitable code originated from his machine: "there was a local edit to that file on my packaging system" source [github.com]. That earlier version was detected only because it generated an error, when trying to use the function correctly. In light of this, it is clear that it was not SF that compromised the package.