CVE-2022-36446 – CVE-2022-36446 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-36446?

CVE-2022-36446 has a CVSS score of 9.8 (CRITICAL). CVE-2022-36446 is a command injection vulnerability in Webmin's apt-lib.pl module that allows remote attackers to execute arbitrary commands on affected systems. The vulnerability affects Webmin installations before version 1.997 and can be exploited through the package updates interface. Attackers can gain full control of the server by injecting malicious commands into the UI.

📋 TL;DR

CVE-2022-36446 is a command injection vulnerability in Webmin's apt-lib.pl module that allows remote attackers to execute arbitrary commands on affected systems. The vulnerability affects Webmin installations before version 1.997 and can be exploited through the package updates interface. Attackers can gain full control of the server by injecting malicious commands into the UI.

💻 Affected Systems

Products:

Webmin

Versions: All versions before 1.997

Operating Systems: Linux, Unix

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to Webmin interface, but default installations are vulnerable. The apt-lib.pl module is used for package management on Debian/Ubuntu systems.

📦 What is this software?

Webmin by Webmin

View all CVEs affecting Webmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains root-level command execution, leading to complete system compromise, data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Authenticated attacker or attacker who gains access to Webmin interface executes arbitrary commands with Webmin's privileges, typically root, resulting in system takeover.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to authenticated users only, reducing attack surface significantly.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public exploit scripts available. Requires authentication to Webmin interface, but can be combined with other vulnerabilities or credential theft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.997

Vendor Advisory: https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde

Restart Required: No

Instructions:

1. Backup Webmin configuration. 2. Update Webmin to version 1.997 or later using the built-in update feature or manual installation. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Package Updates Module

linux

Temporarily disable the vulnerable apt-lib.pl module until patching is possible

mv /usr/share/webmin/software/apt-lib.pl /usr/share/webmin/software/apt-lib.pl.disabled

Restrict Webmin Access

linux

Limit Webmin access to specific IP addresses only

Edit /etc/webmin/miniserv.conf and set allow=192.168.1.0/24 (replace with your network)

🧯 If You Can't Patch

Implement strict network access controls to limit Webmin access to trusted IP addresses only
Enable multi-factor authentication for all Webmin users and audit user accounts for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check Webmin version: grep 'version=' /etc/webmin/miniserv.conf | cut -d= -f2. If version is less than 1.997, system is vulnerable.

Check Version:

grep 'version=' /etc/webmin/miniserv.conf | cut -d= -f2

Verify Fix Applied:

Verify Webmin version is 1.997 or higher using the same command. Check that the apt-lib.pl file contains proper HTML escaping for UI commands.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in Webmin logs
Multiple failed authentication attempts followed by successful login
Suspicious package update requests with unusual parameters

Network Indicators:

Unusual outbound connections from Webmin server
Traffic to known malicious IPs from Webmin host
Unexpected SSH or reverse shell connections originating from Webmin

SIEM Query:

source="webmin" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2022-36446

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-116

Published: July 25, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919b Exploit,Third Party Advisory
https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde Patch,Third Party Advisory
https://github.com/webmin/webmin/compare/1.996...1.997 Release Notes,Third Party Advisory
https://www.exploit-db.com/exploits/50998 Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919b Exploit,Third Party Advisory
https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde Patch,Third Party Advisory
https://github.com/webmin/webmin/compare/1.996...1.997 Release Notes,Third Party Advisory
https://www.exploit-db.com/exploits/50998 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36446, you might also want to check these: