Webmin/Virtualmin Vulnerability Opens Door to Loop DoS Attacks (CVE-2024-2169)
System administrators and web hosting providers relying on the popular Webmin and Virtualmin control panels are urged to take immediate action following the disclosure of a critical vulnerability (CVE-2024-45692) that could lead to devastating Denial-of-Service (DoS) attacks. The vulnerability, tracked as CVE-2024-2169, affects versions of Webmin prior to 2.202 and Virtualmin prior to 7.20.2.
At the heart of the issue lies Webmin/Virtualmin’s UDP service discovery mechanism, typically operating on port 10000. This service responds to any incoming UDP request by revealing the IP address and port where the control panel is accessible. While seemingly benign, this behavior can be exploited by malicious actors to trigger a “Loop DoS” attack.
In a Loop DoS attack, an attacker crafts UDP packets with spoofed source IP addresses and ports, mimicking the addresses of other Webmin instances. When these packets hit a vulnerable Webmin/Virtualmin server, it responds with its own IP and port information. However, because the source addresses are spoofed, the response is sent back to another unsuspecting Webmin server, creating an endless loop of traffic between the two.
This self-sustaining loop can quickly overwhelm the affected servers, consuming their network bandwidth and computational resources, ultimately rendering them inaccessible to legitimate users. The attack can also be amplified by involving multiple Webmin instances, further escalating the impact.
The simplest and most effective way to mitigate this vulnerability is to upgrade to the latest versions of Webmin (2.202) and Virtualmin (7.20.2), which include a fix for the issue. If upgrading is not immediately possible, administrators can temporarily block access to UDP port 10000 from the internet as a workaround.
Given the widespread use of Webmin and Virtualmin and the relative ease of exploiting this vulnerability, it is crucial for administrators to take immediate action. The potential consequences of a successful Loop DoS attack can be severe, disrupting critical services and causing significant financial losses.
