Bug 25331

Summary: webmin 1.882 to 1.921 new command injection vulnerability (CVE-2019-15107, CVE-2019-15231)
Product: Mageia Reporter: Johnny A. Solbu <cooker>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: luigiwalser, sysadmin-bugs, tmb, wilcal.int
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.theregister.co.uk/2019/08/19/webmin_project_zero_day_patch/
Whiteboard: MGA7-64-OK
Source RPM: webmin-1.910-1.mga7.src.rpm CVE: CVE-2019-15107
Status comment:

Description Johnny A. Solbu 2019-08-20 09:27:34 CEST 
Webmin is voulnerable to remote code execution in versions from 1.882 to 1.921, due to an intrusion in the developers previous build server.

Details are in a recent article in TheRegister[1]
According to the article, if webmin is configured with -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one, the system is voulnerable to remote code execution.

The bug is fixed in version 1.930, which also fixes an XSS bug

How you should test this I have no idea.

[1] https://www.theregister.co.uk/2019/08/19/webmin_project_zero_day_patch/
Comment 1 Johnny A. Solbu 2019-08-20 09:37:39 CEST 
Add CVE reference

QA Contact: (none) => security
Component: RPM Packages => Security
CVE: (none) => CVE-2019-15107

Comment 2 Lewis Smith 2019-08-20 09:49:18 CEST 
Webmin has no registered maintainer, so assigning globally, CC'ing DavidW.

Assignee: bugsquad => pkg-bugs
CC: (none) => luigiwalser

Comment 3 David Walser 2019-08-20 12:35:38 CEST 
Advisory:
========================

Updated webmin package fixes security vulnerability:

Webmin before 1.930 allows remote exploits if the option to change expired passwords is enabled (CVE-2019-15107).

Note that it is only vulnerable if changing of expired passwords is enabled,
which is not the case by default.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107
http://www.webmin.com/security.html
http://www.webmin.com/changes.html
========================

Updated packages in core/updates_testing:
========================
webmin-1.930-1.mga7

from webmin-1.930-1.mga7.src.rpm

Summary: CVE-2019-15107: Webmin 1.882 to 1.921 have command injection vulnerability in certain configuration setups => webmin 1.882 to 1.921 new command injection vulnerability (CVE-2019-15107)
Assignee: pkg-bugs => qa-bugs

Comment 4 William Kenney 2019-08-29 22:47:26 CEST 
In VirtualBox, M7, Plasma, 64-bit

Package(s) under test:
webmin

default install of package

[root@localhost wilcal]# uname -a
Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi webmin
Package webmin-1.910-1.mga7.noarch is already installed

Webmin works

install webmin from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi webmin
Package webmin-1.930-1.mga7.noarch is already installed

Webmin works fine

This is a noarch package so 32-bit testing is not necessary

CC: (none) => wilcal.int

William Kenney 2019-08-29 22:48:28 CEST

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2019-08-31 11:46:53 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-08-31 15:24:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0237.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2020-01-15 14:20:23 CET 
This update also fixed an apparently related issue, CVE-2019-15231:
http://www.webmin.com/security.html

Summary: webmin 1.882 to 1.921 new command injection vulnerability (CVE-2019-15107) => webmin 1.882 to 1.921 new command injection vulnerability (CVE-2019-15107, CVE-2019-15231)