Dear Planet Earth: Patch Webmin now – zero-day exploit emerges for potential hijack hole in server control panel The maintainers of Webmin – an open-source application for system-administration tasks on Unix-flavored systems – have released Webmin version 1.930 and the related Usermin version 1.780 to patch a vulnerability that can be exploited to achieve remote code execution in certain configurations. Joe Cooper, one of the …
I've only ever used Webmin for convenience really. It's concerning to think how that code even got there - what else could be lurking?
Uninstalled and very unlikely to reinstall unfortunately. Everything has its vulnerabilities, but when the project authors are unlikely to find how it got introduced, I can't trust it won't happen again.
I know I'm preaching to the choir here, but we are now well beyond the point where a release should ever go out the door without some serious testing.
And, for administration tools, presumably of the sort that could be used to weaken security settings--on a number of servers, this now means much more than just a virus scan. It's time to pull out the fuzzers and other tools to search for zero-day exploits.
Uninstalled and very unlikely to reinstall unfortunately. Everything has its vulnerabilities, but when the project authors are unlikely to find how it got introduced, I can't trust it won't happen again.
Did you hear of VW dieselgate? You know you can't trust the air you breathe anymore, don't you?
I'd stop breathing if I were you!!
/s
(added sarcasm tag as it appears needed)
No attempt at spin or denial, more "how the f*ck did it get here" and "let's fix this asap".
I'd reserve your downvotes for the Twitter feed of the security "researcher". who released exploit code without even bothering to inform the software authors. To me, that's malice with intent and could well create culpability for this Akkuş chap if someone gets breached because of this stupidity.
There is a long established protocol for this: notify, wait (time set either together with product owners or at least a sensible default), THEN publish. As Steam has found out, if you don't work with the researcher you will end up with an arbitrary waiting time, and thus with your trousers down when it goes public, but researchers who do not follow protocol are far more liable to end up with prosecution.
I feel that prosecution is taking it a bit far, but I do agree that giving the authors at least some warning is best.
After all, being able to say "I found this bug" is nice, but being able to say "I found this bug, and worked with the authors to fix it" is better ("I found this bug, and told the authors but they've ignored me" is still pretty good).
>I feel that prosecution is taking it a bit far
What Mr. Akkuş seems to have achieved is created what probably amounts to a malicious computer program targeting certain popular software installed on 200'000+ computer systems and publicly distributed such program without notifying the said software authors. Also publicly acknowledged not being a white hat and not notifying Webmin authors when responding to Webmin's Joe Cooper on Twitter. People certainly got jailed for less.
https://twitter.com/ehakkus/status/1163293486554255360
If I'm reading the story correctly (as updated), it is not an accidental bug in the software, but a deliberately introduced malicious feature by an unknown hacker at an unknown time. So presumably, one or more users of the software had been hacked already by this means and didn't know about it. So it may have become known by someone leaking the existence of the vulnerability.
..... to That and/or Those Destined and Feted to Stay Way Out Ahead Following the Future ‽
After all, being able to say "I found this bug" is nice, but being able to say "I found this bug, and worked with the authors to fix it" is better ("I found this bug, and told the authors but they've ignored me" is still pretty good). ..... phuzz
Howdy, phuzz,
Some would be happy to accept and work with the premise, with particular and peculiar regard to I found this bug, and told the authors but they've ignored me, that such a disengagement is tantamount to incitement and wilful encouragement to further exploit and explore the recently discovered and/or rehashed but not yet more fully uncovered to the greater general population.
“Webmin is a web-based interface for system administration for Unix. Using any modern web browser” ref
Don't use your browser for administration anything, as any bug or misconfiguration in the web server can render your system wide open. Do it the old fashioned way, SSH in and run a couple of scripts.
I hear you, but that's why we are old fashioned and actually use a DMZ hosted proxy - for us, no control interface shall ever be live on the Net.
If you manage to inject scripts past and the cert-based VPN and the DMZ filtering on the firewall and the authentication, frankly, I think we deserve all the misery you can dole out.
In case that you think that's a bit hard shell, soft centre - you have to follow the same route from inside. I know network segregation is not the modern way of running a facility, but it works.
*startled*
I know network segregation is not the modern way of running a facility [...]
Really? Since when? Must have missed that memo...
Admittedly there are still plenty of sites and orgs out there that never got the original, apparently old-fashioned, memo and are still big flat networks (with a "Please hack me" note stuck to their backs), but...
Sorry, that approach is riddled with assumptions and security problems.
The only secure way is long poles scavenged from the local snooker hall with a glove stuffed with plaster of paris on the end. Using this device with a bit of practice you can remotely control even an air-gapped computer from 2 cubes away.
Any attempt to man-in-the-middle using a tenon saw is easily detected, and counter-measures can be deployed, eg a bent paperclip launched with malice aforethought and a fat rubber band.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
