CVE-2021-32162 – This CSRF vulnerability in Webmin's File Manage... (How to Fix)

Q: What is the severity of CVE-2021-32162?

CVE-2021-32162 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Webmin's File Manager allows attackers to trick authenticated administrators into performing unauthorized file operations. It affects Webmin versions 1.973 and potentially earlier versions. Attackers can exploit this when administrators are logged into Webmin and visit malicious websites.

📋 TL;DR

This CSRF vulnerability in Webmin's File Manager allows attackers to trick authenticated administrators into performing unauthorized file operations. It affects Webmin versions 1.973 and potentially earlier versions. Attackers can exploit this when administrators are logged into Webmin and visit malicious websites.

💻 Affected Systems

Products:

Webmin

Versions: 1.973 and earlier versions

Operating Systems: All platforms running Webmin

Default Config Vulnerable: ⚠️ Yes

Notes: Requires File Manager feature enabled and administrator authentication. All Webmin installations with default configurations are vulnerable.

📦 What is this software?

Webmin by Webmin

View all CVEs affecting Webmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file upload, deletion, or modification leading to remote code execution, privilege escalation, or data destruction.

🟠

Likely Case

Unauthorized file operations including upload, download, deletion, or modification of sensitive system files and user data.

🟢

If Mitigated

Limited impact with proper CSRF protections, network segmentation, and administrative awareness.

🌐 Internet-Facing: HIGH - Webmin is often exposed to the internet for remote administration, making it accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit if they can trick administrators into visiting malicious sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim administrator to be authenticated and visit a malicious website. Public proof-of-concept code is available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.974 and later

Vendor Advisory: https://www.webmin.com/security.html

Restart Required: No

Instructions:

1. Update Webmin to version 1.974 or later using the built-in update feature or package manager. 2. Verify the update completed successfully. 3. Clear browser cache and cookies.

🔧 Temporary Workarounds

Disable File Manager

all

Temporarily disable the File Manager module if not required

# In Webmin: Webmin Configuration -> Module Configuration -> Uncheck 'File Manager'

Implement CSRF Tokens

linux

Add custom CSRF protection to Webmin configuration

# Add to /etc/webmin/config: csrf_token=1
# Restart Webmin: systemctl restart webmin

🧯 If You Can't Patch

Implement network segmentation to restrict Webmin access to trusted IP addresses only
Use separate browser profiles for administrative tasks and general browsing, and log out of Webmin when not in use

🔍 How to Verify

Check if Vulnerable:

Check Webmin version via web interface (Webmin -> Webmin Configuration -> Version) or command line: grep version= /etc/webmin/miniserv.conf

Check Version:

grep version= /etc/webmin/miniserv.conf | cut -d= -f2

Verify Fix Applied:

Verify version is 1.974 or higher and test File Manager functionality with CSRF testing tools

📡 Detection & Monitoring

Log Indicators:

Unusual file operations in Webmin logs
Multiple failed authentication attempts followed by successful File Manager actions
Requests without proper referrer headers

Network Indicators:

Unusual outbound connections from Webmin server
Requests to File Manager endpoints with suspicious parameters

SIEM Query:

source="webmin" AND (action="upload" OR action="delete" OR action="rename") AND referrer NOT CONTAINS "webmin"

📊 Metadata

CVE ID: CVE-2021-32162

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: April 11, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Mesh3l911/CVE-2021-32162 Exploit,Third Party Advisory
https://github.com/Mesh3l911/CVE-2021-32162 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32162, you might also want to check these: