Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKtDSqCsXGO8UWZxo8fdQi2DS8=wuLTEtsomx64+7WxM4ciC8A@mail.gmail.com>
Date: Wed, 4 Sep 2024 09:45:59 +0300
From: Sergei G <serg.gordey@...il.com>
To: oss-security@...ts.openwall.com
Subject: Webmin UDP/10000 discovery service Loop DoS (COK-2024-05-05)

Webmin is a web-based system administration tool for Unix-like servers, and
services with about 1,000,000 yearly installations worldwide.

Webmin/Virtualmin use a UDP service discovery, usually running on port
UDP/10000. This service responds to any UDP request with the IP address and
port on which the control panel is available.

This behavior can be used to implement a Loop DoS attack (CVE-2024-2169
etc) by sending udp packets with spoofed source ip:port using other Webmin
instance IP-andreess that can lead to endless traffic exchange between
hosts, Denial of Service (DOS) and/or abuse of resources.

Fix:
Users are recommended to upgrade to version Webmin 2.202, Virtualmin 7.20.2
which fixes the issue.

Workaround:
Block UDP/10000 the service for access from the Internet.

References:
https://webmin.com/
https://cispa.de/en/loop-dos
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2169

Credits:
Alexander Chernenkov, Sergey Gordeychik, CyberOK

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.