Guard against Webmin

Zyxel_Forum_Admin Posts: 125  Admin
First Anniversary 10 Comments Friend Collector
edited September 2021 in Security Highlight
Webmin is vulnerable to unauthenticated remote command execution
(Vulnerable version: Webmin version 1.882 to 1.921)
Webmin is the popular Linux/UNIX systems management UI. The vulnerability is secretly planted by a hacker as a form of backdoor in the development infrastructure and remains in the several release of Webmin (from 1.882 to 1.921). Later on developer announce that this vulnerability only affects the download of SourceForce repository. The Webmin's GitHub repositories are not affected.
The parameter in “password_change.cgi” contains a command injection vulnerability. An attacker can send a malicious http request to the password reset request form page to inject code and take over the Webmin web application. The exploit doesn’t require a valid username or password to bypass the authentication.
Mitigation (On Host Device):
For hosts: Update to Webmin 1.930 or disable the "user password change" option in Webmin will mitigate this vulnerability.
Mitigation (On Network):
1. Access Intranet service through VPN 
Leveraging VPN technology for remote access to internal Webmin, prevents unauthorized outside access.
2. Deploy advanced protection
Zyxel ZyWALL USG/ATP serial firewall uses its IDP security features to block the network attacks. Update to the latest version of IDP signature and then enable the IDP function to protect your host.
Revision history 2019-11-21: Initial release