Blog Tags: 

Webmin remote exploit/vulnerability does NOT affect TurnKey

It has come to our attention that a number of Webmin releases include a vulnerability that could allow a remote attacker to take control of a server with a vulnerable version of Webmin installed. Alarmingly:

The backdoor gave anyone with knowledge of its existence the ability to execute commands as root, meaning an attacker could take control of the targeted endpoint.

The first affected (infected!?) version was v1.890 (affected when used with default config). Subsequent versions v1.900 and v1.920 were also affected, albeit, not exploitable with default config.

TurnKey v15.x appliances not affected

However, as TurnKey v15.x ships with Webmin v1.881 (the release prior to the introduction of the malicious code)TurnKey instances are NOT affected when used with default config.

So at this point, no action is required (unless of course you have manually updated to a newer version that is affected - in which case, please update again ASAP).

If you wish to double check what version of Webmin you have installed (assuming that you have not manually updated it via some other method), you can do that via the commandline like this:

apt policy webmin

Currently that should return the following:

webmin:
  Installed: 1.881-turnkey+0
  Candidate: 1.881-turnkey+0
  Version table:
 *** 1.881-turnkey+0 999
        999 http://archive.turnkeylinux.org/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

Upcoming TurnKey Webmin update

Having said that, there are still some security related issues that are patched in the current release of Webmin. Namely, some potential XSS (cross site scripting) exploits and a privilege escalation bug. As they all require a malicious actor to already be logged in (via a legitimate user account), with some additional steps and/or config changes to exploit, they are not such a risk when TurnKey is used with default settings/config. If you are using Webmin with additional "limited" users, you will be well advised to audit them.

We do still plan to patch them via an updated Webmin release. Eventually, we intend to push an update out via a security update (so all users automatically get it). However, considering that it isn't a dire issue, and Webmin is a large project and we want to ensure that users don't end up with a broken system, we plan to initially release it via our standard repo (i.e. initially it will require a manual update). Once the update has been released, this post will be updated and I'll also send out a notification to all users subscribed to our "security newsletter". Assuming that we have no negative reports back, sometime after that, we'll push out a security update.

Comments

Steve Doig's picture

We've recently tested Linux on one of our laptops for our website design business.

zeeshan malik's picture

you are doing great work to secure users although today security is a big challange for everyone on the internet but you are trying your best with new updates, enhancements and increasing security awearness to make it more and more secure

HydUser's picture

Yes .Internet Security is Important as well as computers security also important

Pages

Add new comment