I. Overview

Recently, the HUAWEI CLOUD security team noticed that the popular system administrator tool Webmin officially released a security alert. Versions earlier than Webmin 1.930 have the remote code execution vulnerability (CVE-2019-15107). By exploiting this vulnerability, attackers can inject system commands to implement command execution when the password reset function is enabled.

Reference link:

http://www.webmin.com/security.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Versions earlier than Webmin 1.930

Secure versions:

Webmin 1.930

IV. Solutions

These vulnerabilities have been fixed in the latest official version Webmin 1.930. Upgrade to the latest versions as soon as possible.

Download link: http://webmin.com/download.html

Workarounds:

For Webmin 1.900 to 1.920, you can edit the configuration file /etc/webmin/miniserv.conf by commenting out or deleting the passwd_mode= line, and then run the /etc/webmin/restart command to restart the service.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.