The Webmin website states, “Webmin is a web-based interface for system administration for Unix.” Many Hosting providers offer Webmin administration with their Virtual Private Servers.
Recently, a presentation revealed backdoor code injected into the source for Webmin. According to a Hacker News story published August 20:
“The story started when Turkish researcher Özkan Mustafa Akkuş publicly presented a zero-day remote code execution vulnerability in the Webmin at DefCon on August 10, without giving any advance notice to the affected project maintainers.“
Without doubt, this presentation raises some responsible disclosure concerns. Debates will take place on this topic, but defenders know action beats debate.
Here at Team Cymru, we focus on actionable intelligence. What do we know about this situation?
Open Listeners
Our scanning projects cover most IPv4 address space. Webmin uses TCP port 10,000 by default. Over a recent 45 day period, our OpenPorts data show slightly over 3,850,000 open port 10,000 listeners across the Internet.
As you may expect, these listeners are not all Webmin, but this data gives context to the scope of the problem. If only half are vulnerable Webmin panels, that would be close to 2 million exposed systems.
Scanning Activity
With many vulnerability disclosures, scanning activity increases as the vulnerability becomes better known. Team Cymru data includes an impressive amount of darknet data.
Darknets are network ranges that do not contain any active systems. IP addresses within darknets should never send or receive any packets. Any packets arriving to these IP addresses are suspect.
Figure 1: Note that 8/22/19 represents a partial day (approximately 16 hours)
Our darknet data shows an uptick in scanning attempts in the past two days in Figure 1 (the green bars). It also shows a spike that happened in late July, before the presentation on this vulnerability.
Our darknet data shows a clear uptick in the number of distinct scanners over the past two days in Figure 1 (the red line)
Official Responses
This issue is being tracked as CVE-2019-15107.
Webmin’s team announced Webmin 1.930 and Usermin 1.780 on August 17. These patches fix this vulnerability and some other issues. Please apply the updates where needed!
Summary
Vulnerabilities, bugs and backdoors are constants in the Information Security space. Attackers do not sleep and will not stop. Defenders must do all they can to prepare and respond to threats.
The data used in this report is all available through Team Cymru’s Augury global insight tool. Augury gives defenders a fighting chance by putting relevant intelligence at your fingertips.
Team Cymru exists to save and improve human lives. We work towards this mission by empowering network and security defenders. Join the growing list of network defenders with relevant insight at their fingertips!