CVE-2019-15107
Published: 16 August 2019
Summary
CVE-2019-15107 is a critical-severity OS Command Injection (CWE-78) vulnerability in Webmin Webmin. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-15107 is a command injection vulnerability (CWE-78) affecting Webmin versions up to and including 1.920. The flaw resides in the "old" parameter of the password_change.cgi script, which fails to properly sanitize input before passing it to a system command.
The vulnerability can be exploited remotely by unauthenticated attackers over the network. Successful exploitation grants full control over the affected system, allowing arbitrary command execution with impacts to confidentiality, integrity, and availability, as reflected in its CVSS 3.1 base score of 9.8.
Public exploit code for this issue has been disclosed on multiple platforms, including detailed remote code execution and backdoor variants targeting the unauthenticated password change endpoint. No official patch or mitigation details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-6178
Vulnerability details
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input such as the 'old' parameter before it is passed to system commands, blocking the CWE-78 injection.
Mandates prompt installation of patches or updates that eliminate the unauthenticated command-injection flaw in password_change.cgi.
Enforces authentication and authorization checks on the password_change.cgi endpoint so that unauthenticated remote attackers cannot reach the vulnerable parameter.