The Cybersecurity Center (BKIS) has reported a newly discovered serious vulnerability in Webmin software that could allow hackers to easily infiltrate networks using this software.
This software provides a web interface for system administration on Unix and Linux operating systems.
Webmin is commonly used by hosting service providers to manage user accounts and directories. With this vulnerability, hackers can access any directory and read files on the server that uses Webmin.
In Vietnam, BKIS has examined and found that several large hosting service providers, including one ISP, are using Webmin for managing user hosting accounts. As a result, customer information from these service providers, such as username/password and files in the web directory, may have already been compromised by hackers.
At least nearly 400 customers of these service providers could be at risk of information exposure, including banks, businesses, and organizations. This is extremely dangerous, as with the obtained information, hackers could completely control the websites of all these customers.
Currently, in addition to Webmin, a similar vulnerability has also been found in Usermin software. Both of these software packages are developed by the same authors, which is why they share the same principles and methods of exploiting the vulnerability. These are popular applications trusted by network administrators on Unix and Linux systems.
The Cybersecurity Center BKIS has advised all network administrators nationwide to check whether their systems are using Webmin or Usermin. If so, they must immediately patch the vulnerabilities in these software applications.
To address this issue, the first step for administrators is to upgrade the vulnerable software to the latest versions, Webmin 1.290 and Usermin 1.220, available from www.webmin.com. Next, hosting service providers need to inform and guide their hosting customers to immediately change their management passwords and database connection passwords (if applicable). Finally, a system review should be conducted (for both service providers and their hosting customers) because hackers may have already infiltrated in the past few days to modify information or install backdoors (a type of spyware) to control the system.
The cause of this vulnerability lies in the software’s inadequate control over the use of the character “/”. By using a continuous string of characters “..%01/”, hackers can read the contents of any file in the system, thus obtaining sensitive information such as usernames and passwords for access accounts (via the /etc/passwd and /etc/shadow files) or retrieving database access account information from configuration files containing database information.
L.Quang
