A security vulnerability has been discovered in Webmin, a widely used web-based system administration tool for Unix-like servers. The vulnerability, present in Webmin versions 2.202 and below, could allow an attacker to bypass SSL certificate authentication and gain unauthorized access to sensitive systems.
Webmin is utilized by approximately 1,000,000 servers worldwide to manage operating system internals and control various open-source applications. The vulnerability stems from Webmin’s handling of SSL certificates when configured to trust remote IP addresses provided by a proxy. An attacker could exploit this flaw by sending a forged header to fake the client certificate, thereby bypassing the authentication mechanism.
The vulnerability was reported by Tatsu Taki from JPCERT/CC. Webmin has addressed the issue in version 2.301 and later. Users are strongly urged to upgrade to the latest version to mitigate this vulnerability.
As a precautionary measure, Webmin recommends disabling the “Trust level for proxy headers” option in the IP Access Control settings if there is any possibility of direct requests by clients. This will prevent attackers from exploiting the vulnerability by sending forged headers.
Related Posts:
- Security Update for Webmin: Addressing Privilege Escalation Vulnerability
- Webmin/Virtualmin Vulnerability Opens Door to Loop DoS Attacks (CVE-2024-2169)
- CVE-2024-12828 (CVSS 9.9): Webmin Vulnerability Leaves a Million Servers Exposed to RCE
- CVE-2024-36451 (CVSS 8.8): Webmin Vulnerability Allows Session Hijacking
