In an unnerving twist, when a critical zero-day vulnerability was reported in a Unix administration tool, called Webmin, it was revealed the flaw was no accident. According to researchers, the vulnerability was a secret backdoor planted in the popular utility nearly a year before its discovery.
The backdoor gave anyone with knowledge of its existence the ability to execute commands as root, meaning an attacker could take control of the targeted endpoint. According to Jamie Cameron, the author of Webmin, the bogus version was 1.890. Two additional versions were found with near identical backdoor code, version 1.900 and 1.920.
“Neither of these were accidental bugs – rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability,” Cameron wrote in a post outlining the issues.
According to Cameron, the Webmin development build server was compromised on April 2018. He said that’s when a vulnerability was added to the “password_change.cgi” script. Cameron explained, by backdating the file it was reverted to a Github “checked-in” version of code and escaped scrutiny. The code then shipped with the 1.890 version of the Webmin release.
Then in July 2018, the malicious actor behind the vulnerable version of the “password_change.cgi” script updated the file again. This time the change impacted the Webmin 1.900 release. “This time the exploit was added to code that is only executed if changing of expired passwords is enabled,” the author wrote.
Things got interesting in Sept. 2018 when the vulnerable build server was decomissioned and replaced with a newly installed server running CentOS 7. However, the vulnerable code “was copied across from backups made on the original server,” the author explained.
Either way, the bug only impacted systems with a specific configuration. “To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution,” according to a description of the bug.
The bug itself surfaced at DEF CON 2019, when a researcher released zero-day research illustrating a bug (CVE-2019-15107) that made use of the vulnerability. It was this research that shed light on the malicious code injected back in July 2018. “In response (to CVE-2019-15107), the exploit code was removed and Webmin version 1.930 created and released to all users,” Cameron wrote.
In response to the implanted malicious code Webmin said it would adopt new mitigations efforts such as:
- Updating the build process to use only checked-in code from Github, rather than a local directory that is kept in sync.
- Rotating all passwords and keys accessible from the old build system.
- Auditing all Github checkins over the past year to look for commits that may have introduced similar vulnerabilities.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.