Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

CVE-2022-36904: Jenkins Security Advisory 2022-07-27

Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

CVE-2022-36881: Jenkins Security Advisory 2022-07-27

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-36905: Jenkins Security Advisory 2022-07-27

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-36921: Jenkins Security Advisory 2022-07-27

A cross-site request forgery (CSRF) vulnerability in Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier allows attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations.

CVE-2022-36887: Jenkins Security Advisory 2022-07-27

Jenkins Files Found Trigger Plugin 1.5 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

CVE-2022-36914: Jenkins Security Advisory 2022-07-27

A missing permission check in Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.

CVE-2022-36897: Jenkins Security Advisory 2022-07-27

The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.

**Security Alerts**

This page lists security problems found in Webmin and Usermin, versions affected and recommended solutions.

Found a new security bug? Report it at security@webmin.com.

**Webmin 1.995 and below - XSS vulnerability in the HTTP Tunnel module**  

If a less-privileged Webmin user is given permission to edit the configuration of the HTTP Tunnel module, he could use this to introduce a vulnerability that captures cookies belonging to other Webmin users that use the module. Thanks to BLACK MENACE and PYBRO for reporting this issue.

**Webmin 1.995 and Usermin 1.850 and below - XSS vulnerabiliy in the Read Mail module**  

An HTML email crafted by an attacker could capture browser cookies when opened. Thanks to ly1g3 for reporting this bug.

**Webmin 1.991 and below - privilege escalation exploit (CVE-2022-30708)**  

Less privileged Webmin users (excluding those created by Virtualmin and Cloudmin) can modify arbitrary files with root privileges, and so run commands as root. All systems with additional untrusted Webmin users should upgrade immediately. Thanks to esp0xdeadbeef and V1s3r1on for finding and reporting this issue!

**Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829)**  

Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured. Thanks to Faisal Fs (faisalfs10x) from NetbyteSEC for finding and reporting this issue!

**Virtualmin Procmail wrapper version 1.0 - Privilege escalation exploit.**  

Version 1.0 of the procmail-wrapper package installed with Virtualmin has a vulnerability that can be used by anyone with SSH access to gain root privileges. To prevent this, all Virtualmin users should upgrade to version 1.1 or later immediately.

**Webmin 1.973 and below - XSS vulnerabilities if Webmin is installed using the setup.pl script (CVE-2021-31760, CVE-2021-31761 and CVE-2021-31762)**  

If Webmin is installed using the non-recommended setup.pl script, checking for unknown referers is not enabled by default. This opens the system up to XSS and CSRF attacks using malicious links.  
Fortunately the standard RPM, Deb, TAR and Solaris packages do not use this script and so are not vulnerable. If you did install using the setup.pl script, the vulnerability can be fixed by adding the line referers\_none=1 to /etc/webmin/config . Thanks to Meshal ( Mesh3l\_911 ) @Mesh3l\_911 and Mohammed ( Z0ldyck ) @electronicbots for finding and reporting this issue!

**Webmin 1.941 and below - XSS vulnerability in the Command Shell module (CVE-2020-8820 and CVE-2020-8821)**  

A user with privileges to create custom commands could exploit other users via unescaped HTML. Thanks to Mauro Cáseres for reporting this and the following issue.

**Webmin 1.941 and below - XSS vulnerability in the Read Mail module (CVE-2020-12670)**  

Saving a malicious HTML attachment could trigger and XSS vulnerability.

**Webmin 1.882 to 1.921 - Remote Command Execution (CVE-2019-15231)**  

Webmin releases between these versions contain a vulernability that allows remote command execution! Version 1.890 is vulnerable in a default install and should be upgraded immediately - other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.  
Either way, upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd\_mode= line, then run /etc/webmin/restart.  
For more details, see our What Happened page.

**Webmin 1.900 - Remote Command Execution (Metasploit)**  

This is NOT a workable exploit as it requires that the attacker already know the root password. Hence there is no fix for it in Webmin.

**Malicious HTTP headers in downloaded URLs**  
Affects Webmin versions up to 1.860, if the Upload and Download or File Manager module is used to fetch an untrusted URL.

If a Webmin user downloads a file from a malicious URL, HTTP headers returned can be used exploit an XSS vulnerability. Thanks to independent security researcher, John Page aka hyp3rlinx, who reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

**Authentic theme configuration page vulnerability**  
Affects Webmin versions up to 1.800, but is only an issue if your system has un-trusted users with Webmin access and is using the new Authentic theme.

A non-root Webmin user could use the theme configuration page to execute commands as root.

**Authentic theme remote access vulnerability**  
Affects Webmin versions up to 1.800, but only if the Authentic theme is enabled globally.  

An attacker could execute commands remotely as root, as long as there was no firewall blocking access to Webmin's port 10000.

**XSS (cross-site scripting) vulnerability in xmlrpc.cgi**  
Affects Webmin versions up to 1.750.  

A malicious website could create links or Javascript referencing the xmlrpc.cgi script, triggered when a user logged into Webmin visits the attacking site. Thanks to Peter Allor from IBM for finding and reporting this issue (CVE-2015-1990).

**Read Mail module vulerable to malicious links**  
Affects Webmin versions up to 1.720.  

If un-trusted users have both SSH access and the ability to use Webmin's Read Mail module (as is the case for Virtualmin domain owners), a malicious link could be created to allow reading any file on the system - even those owned by root. Thanks to Patrick William from RACK911 labs for finding this bug.

**Shellshock vulnerability**  
Affects Webmin versions up to 1.700.  

If your bash shell is vulnerable to shellshock, it can be exploited by attackers who have a Webmin login to run arbitrary commands as root. Updating to version 1.710 (or updating bash) will fix this issue.

**Yet another XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.590.  

A malicious website could create links or Javascript referencing the File Manager module that allowed execution of arbitrary commands via Webmin when the website is viewed by the victim. See CERT vulnerability note VU#788478 for more details. Thanks to Jared Allar from the American Information Security Group for reporting this problem.

**Referer checks don't include port**  
Affects Webmin versions up to 1.590.  

If an attacker has control over http://example.com/ , he could create a page with malicious Javascript that could take over a Webmin session at https://example.com:10000/ when http://example.com/ is viewed by the victim. Thanks to Marcin Teodorczyk for finding this issue.

**Another XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.540.  

This vulnerability can be triggered if an attacker changes his Unix username via a tool like chfn, and a page listing usernames is then viewed by the root user in Webmin. Thanks to Javier Bassi for reporting this bug.

**Unsafe file writes in Virtualmin**  
Affects Virtualmin versions before 3.70.  

This bug allows a virtual server owner to read or write to arbitrary files on the system by creating malicious symbolic links and then having Virtualmin perform operations on those links. Upgrading to version 3.70 is strongly recommended if your system has un-trusted domain owners.

**XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.390, and Usermin up to 1.320.  

This attack could open users who visit un-trusted websites while having Webmin open in the same browser up to having their session cookie captured, which could then allow an attacker to login to Webmin without a password. The quick fix is to go to the **Webmin Configuration** module, click on the **Trusted Referers** icon, set **Referrer checking enabled?** to **Yes**, and un-check the box **Trust links from unknown referrers**. Webmin 1.400 and Usermin 1.330 will make these settings the defaults.

**Windows-only command execution bug**  
Affects Webmin on Windows only, versions before 1.380.  

Any user logged into Webmin can execute any command using special URL parameters. This could be used by less-privileged Webmin users to raise their level of access.  
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

**pam\_login.cgi XSS bug**  
Affects Webmin versions below 1.347, and Usermin versions below 1.277, on any operating system.  

A malicious link to Webmin's pam\_login.cgi script can be used to execute Javascript within the Webmin server context, and perhaps steal session cookies.

**chooser.cgi XSS bug**  
Affects Webmin versions below 1.330, and Usermin versions below 1.260, on any operating system.  

When using Webmin or Usermin to browse files on a system that were created by an attacker, a specially crafted filename could be used to inject arbitrary Javascript into the browser.

**Remote source code access and XSS bug**  
Affects Webmin versions below 1.296, and Usermin versions below 1.226, on any operating system.  

An attacker can view the source code of Webmin CGI and Perl programs using a specially crafted URL. Because the source code for Webmin is freely available, this issue should only be of concern to sites that have custom modules for which they want the source to remain hidden.  
The XSS bug makes use of a similar technique to craft a URL that can allow arbitrary Javascript to be executed in the user's browser if a malicious link is clicked on.  
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

**Artbitrary remote file access**  
Affects Webmin versions below 1.290, and Usermin versions below 1.220, on any operating system.  

An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.  
Thanks to Kenny Chen for bringing this to my attention.

**Windows artbitrary file access**  
Affects Webmin versions below 1.280, when running on a Windows server.  

If running Webmin on Windows, an attacker can remotely view the contents of any file on your system using a specially crafted URL. This does not affect other operating systems, but if you use Webmin on Windows you should upgrade to version 1.280 or later.  
Thanks to Keigo Yamazaki of Little eArth Corporation for discovering this bug.

**Perl syslog input attack**  
Affects Webmin versions below 1.250 and Usermin versions below 1.180, with syslog logging enabled.  

When logging of failing login attempts via syslog is enabled, an attacker can crash and possibly take over the Webmin webserver, due to un-checked input being passed to Perl's syslog function. Upgrading to the latest release of Webmin is recommended.  
Thanks to Jack at Dyad Security for reporting this problem to me.

**'Full PAM conversations' mode remote attack**  
Affects Webmin versions between 1.200 and 1.220 and Usermin version between 1.130 and 1.150, when the option **Support full PAM conversations?** is enabled on the **Authentication** page.  

When this option is enabled in Webmin or Usermin, an attacker can gain remote access to Webmin without needing to supply a valid login or password. Fortunately this option is not enabled by default and is rarely used unless you have a PAM setup that requires more than just a username and password, but upgrading is advised anyway.  
Thanks to Keigo Yamazaki of Little eArth Corporation and JPCERT/CC for discovering and notifying me of this bug.

**Brute force password guessing attack**  
Affects Webmin versions below 1.175 and Usermin version below 1.104  

All versions of Webmin below 1.175 do not have password timeouts turned on by default, so an attacker can try every possible password for the root or admin user until he finds the correct one. The solution is to enable password timeouts, so that repeated attempts to login as the same user will become progressively slower. This can be done by following these steps :

*   Go to the **Webmin Configuration** module.
*   Click on the **Authentication** icon.
*   Select the **Enable password timeouts** button.
*   Click the **Save** button at the bottom of the page.

This problem is also present in Usermin, and can be prevented by following the same steps in the **Usermin Configuration** module.

**Usermin cross-site scripting vulnerability**  
Affects Usermin versions below 1.080  

When viewing HTML email, several potentially dangerous types of URLs can be passed through. This can be used to perform malicious actions like executing commands as the logged-in Usermin user. Can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.

**Module configurations are visible**  
Affects Webmin versions below 1.150  

Even if a Webmin user does not have access to a module, he can still view it's Module Config page by entering a URL that calls config.cgi with the module name as a parameter. This can only be resolved by upgrading to version 1.150 or later.

**Account lockout attack**  
Affects Webmin versions below 1.150 and Usermin versions below 1.080  

By sending a specially constructed password, an attacker can lock out other users if password timeouts are enabled. This can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.

CVE-2022-36880: Webmin

Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin <= 2.6.0 at WordPress.

CVE-2022-33969: Changeset 2648808 – WordPress Plugin Repository

Researchers at Intezer have published an analysis of a modular and versatile malware targeting Linux systems called Lightning Framework
The post Lightning Framework, modular Linux malware appeared first on Malwarebytes Labs.

Researchers at Intezer have published a technical analysis of Lightning Framework, a previously undocumented and undetected Linux threat. Lightning is a modular framework that is very versatile and something we don’t see very often in the Linux space.

The old argument that Linux systems (or Macs for that matter) don’t get malware has never been true. Linux servers often play a key role in corporate networks, and are also very popular in cloud-based systems, making them attractive targets for criminals.

**The Lightening Framework**

The Lightning Framework has a modular structure, consisting of a downloader (Lightning.Downloader) and a core module (Lightning.Core), with a number of plugins.

Image courtesy of Intezer

A modular architecture can make adding new capabilities or improvements easier, since an update to a plugin should not affect the core or any other plugins. It is also potentially useful to malware authors because if detection is based on one of the plugins then replacing the plugin that triggered the detection may allow the malware to go under the radar for a bit longer.

While some of the modules are known tools, it is rare to see such a complex and versatile framework target Linux systems.

**How Lightening hides**

The main function of the downloader module is to fetch the other components and execute the core module. The framework makes heavy use of typo-squatting and masquerading in order to remain undetected. Intezer reports that the downloader module is located in the working directory /usr/lib64/seahorses/ so anyone performing a quick inspection might think the directory belongs to the password and key manager software seahorse.

One of the tasks of the core module is to set up persistence. It does this by creating a script that gets executed upon system boot. The boot execution is achieved by first creating a file located at /etc/rc.d/init.d/elastisearch, an obvious attempt to typosquat elasticsearch.

The malware uses a timestomping technique to change the timestamp of the script so that it matches the timestamp of one of a few core Linux files. So that, without closer inspection an investigator might think it was created when the system was initially set up.

The framework also uses a rootkit to hide its Process ID (PID) and any related network ports. The rootkit can scrub any reference to files running in the framework.

**Communication**

Network communication in the core and downloader modules is performed over TCP sockets. The C2 server is stored in an encoded configuration file that is unique for every single creation.

The Linux.Plugin.Lightning.Sshd plugin is an OpenSSH daemon that includes hardcoded private and host keys, allowing the attacker to SSH into the machine with their own SSH key, creating a secondary backdoor.

For a deeper analysis of the malware and its plugins, and a list of IOCs, check out the full write up by Intezer.

Tag

#ssh