back to article Dear Planet Earth: Patch Webmin now – zero-day exploit emerges for potential hijack hole in server control panel

The maintainers of Webmin – an open-source application for system-administration tasks on Unix-flavored systems – have released Webmin version 1.930 and the related Usermin version 1.780 to patch a vulnerability that can be exploited to achieve remote code execution in certain configurations. Joe Cooper, one of the …

  1. Anonymous Coward
    Anonymous Coward

    I've only ever used Webmin for convenience really. It's concerning to think how that code even got there - what else could be lurking?

    Uninstalled and very unlikely to reinstall unfortunately. Everything has its vulnerabilities, but when the project authors are unlikely to find how it got introduced, I can't trust it won't happen again.

    1. Claptrap314 Silver badge

      There are two levels of fail required here. The attacker got on his build box, yes. But the bad code never hit their source code. Too bad about the build box, but the bigger fix is signing the release. Get that fixed, and it should not matter how the build box was p0wned.

      1. Marco Fontani

        How is the release signed? Using a key on the build box?

        1. GnuTzu Silver badge

          I know I'm preaching to the choir here, but we are now well beyond the point where a release should ever go out the door without some serious testing.

          And, for administration tools, presumably of the sort that could be used to weaken security settings--on a number of servers, this now means much more than just a virus scan. It's time to pull out the fuzzers and other tools to search for zero-day exploits.

    2. The Average Joe

      At one time my windows computer got a worm on the internet...

      so now I am not going to use the internet or windows again! Take that!

    3. Anonymous Coward
      Anonymous Coward

      posting AC

      It's not for marketting messages.

    4. Anonymous Coward
      Anonymous Coward

      Uninstalled and very unlikely to reinstall unfortunately. Everything has its vulnerabilities, but when the project authors are unlikely to find how it got introduced, I can't trust it won't happen again.

      Did you hear of VW dieselgate? You know you can't trust the air you breathe anymore, don't you?

      I'd stop breathing if I were you!!

      /s

      (added sarcasm tag as it appears needed)

      1. Tom Paine Silver badge

        The analogy falls down because there are no alternative atmospheres available, but there are many ways to administer a *nix box.

  2. amanfromMars 1 Silver badge

    Relating to SMARTR Cookies

    Kudos to Cooper for playing the game so well with the Register.

  3. Anonymous Coward
    Anonymous Coward

    At least a responsible response

    No attempt at spin or denial, more "how the f*ck did it get here" and "let's fix this asap".

    I'd reserve your downvotes for the Twitter feed of the security "researcher". who released exploit code without even bothering to inform the software authors. To me, that's malice with intent and could well create culpability for this Akkuş chap if someone gets breached because of this stupidity.

    There is a long established protocol for this: notify, wait (time set either together with product owners or at least a sensible default), THEN publish. As Steam has found out, if you don't work with the researcher you will end up with an arbitrary waiting time, and thus with your trousers down when it goes public, but researchers who do not follow protocol are far more liable to end up with prosecution.

    1. phuzz Silver badge

      Re: At least a responsible response

      I feel that prosecution is taking it a bit far, but I do agree that giving the authors at least some warning is best.

      After all, being able to say "I found this bug" is nice, but being able to say "I found this bug, and worked with the authors to fix it" is better ("I found this bug, and told the authors but they've ignored me" is still pretty good).

      1. Muppet Boss
        WTF?

        Re: At least a responsible response

        >I feel that prosecution is taking it a bit far

        What Mr. Akkuş seems to have achieved is created what probably amounts to a malicious computer program targeting certain popular software installed on 200'000+ computer systems and publicly distributed such program without notifying the said software authors. Also publicly acknowledged not being a white hat and not notifying Webmin authors when responding to Webmin's Joe Cooper on Twitter. People certainly got jailed for less.

        https://twitter.com/ehakkus/status/1163293486554255360

    2. Robert Carnegie Silver badge

      Re: At least a responsible response

      If I'm reading the story correctly (as updated), it is not an accidental bug in the software, but a deliberately introduced malicious feature by an unknown hacker at an unknown time. So presumably, one or more users of the software had been hacked already by this means and didn't know about it. So it may have become known by someone leaking the existence of the vulnerability.

      1. Crypto Monad

        Re: At least a responsible response

        > So it may have become known by someone leaking the existence of the vulnerability.

        Or somebody decided to compare the webmin distribution tarball with the source on github.

    3. Tom Paine Silver badge

      Re: At least a responsible response

      The community / industry rough consensus has settled on something pretty much like the original RainForestPuppy disclosure policy from, what, 2002? -- the glory days of Full Disclosure (the mailing list).

  4. amanfromMars 1 Silver badge

    The Most Interesting of Perpetual Challenges ...

    ..... to That and/or Those Destined and Feted to Stay Way Out Ahead Following the Future ‽

    After all, being able to say "I found this bug" is nice, but being able to say "I found this bug, and worked with the authors to fix it" is better ("I found this bug, and told the authors but they've ignored me" is still pretty good). ..... phuzz

    Howdy, phuzz,

    Some would be happy to accept and work with the premise, with particular and peculiar regard to I found this bug, and told the authors but they've ignored me, that such a disengagement is tantamount to incitement and wilful encouragement to further exploit and explore the recently discovered and/or rehashed but not yet more fully uncovered to the greater general population.

  5. Anonymous Coward
    Anonymous Coward

    Webmin is a web-based interface

    Webmin is a web-based interface for system administration for Unix. Using any modern web browserref

    Don't use your browser for administration anything, as any bug or misconfiguration in the web server can render your system wide open. Do it the old fashioned way, SSH in and run a couple of scripts.

    1. Anonymous Coward
      Anonymous Coward

      Re: Webmin is a web-based interface

      I hear you, but that's why we are old fashioned and actually use a DMZ hosted proxy - for us, no control interface shall ever be live on the Net.

      If you manage to inject scripts past and the cert-based VPN and the DMZ filtering on the firewall and the authentication, frankly, I think we deserve all the misery you can dole out.

      In case that you think that's a bit hard shell, soft centre - you have to follow the same route from inside. I know network segregation is not the modern way of running a facility, but it works.

      1. Tom Paine Silver badge

        Re: Webmin is a web-based interface

        *startled*

        I know network segregation is not the modern way of running a facility [...]

        Really? Since when? Must have missed that memo...

        Admittedly there are still plenty of sites and orgs out there that never got the original, apparently old-fashioned, memo and are still big flat networks (with a "Please hack me" note stuck to their backs), but...

      2. Stevie Silver badge

        Re: Webmin is a web-based interface

        Sorry, that approach is riddled with assumptions and security problems.

        The only secure way is long poles scavenged from the local snooker hall with a glove stuffed with plaster of paris on the end. Using this device with a bit of practice you can remotely control even an air-gapped computer from 2 cubes away.

        Any attempt to man-in-the-middle using a tenon saw is easily detected, and counter-measures can be deployed, eg a bent paperclip launched with malice aforethought and a fat rubber band.

  6. Bitsminer
    WTF?

    Supply Chain Attack

    And they didn't think they were a target.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019