A critical vulnerability (CVE-2015-2079) in Usermin, a web-based administration tool, allows authenticated attackers to execute arbitrary code due to improper handling of Perl’s `open()` function. The flaw affects versions 0.980 through 1.650, with a CVSS score of 9.9 (CRITICAL). Patched in Usermin 1.660, the issue highlights risks in legacy code and silent fixes.[1]
Executive Summary for Security Leaders
The vulnerability stems from Usermin’s misuse of Perl’s two-argument `open()` function in the `uconfig_save.cgi` script, enabling command injection via the `sig_file_free` parameter. Exploitation requires authenticated access, but successful attacks grant full system control. The flaw remained unpatched for 13 years until a 2015 update, which was not documented in official changelogs.[2]
Key points:
– **Impact**: Authenticated Remote Code Execution (RCE)
– **Affected Versions**: Usermin 0.980 (2002) to 1.650 (2015)
– **Patch**: Usermin 1.660 replaces `open()` with `open_readfile()`
– **Exploit Availability**: Public PoC exists via Metasploit[3]
Technical Analysis
The vulnerability occurs in the `get_signature` function within `mailbox-lib.pl`, where user-controlled input passes directly to Perl’s `open()` without sanitization. Attackers can inject shell commands using pipe characters (`|`) in the `sig_file_free` parameter during email composition or signature editing.[4]
A sample HTTP request demonstrates the attack vector:
POST /uconfig_save.cgi HTTP/1.1
Host: target:20000
Content-Length: 83
module=mailbox&sig_file=free&sig_file_free=|uname -a|&sig_mode=0&save=SaveThe Metasploit module (available since 2015) confirms reliable exploitation across Linux and Solaris systems. Code White researchers first identified the flaw during penetration tests, noting it could bypass standard web application firewalls due to its use of legitimate administrative functions.[5]
Remediation and Detection
Organizations should immediately upgrade to Usermin 1.660 or later. For systems requiring legacy versions, implement these compensating controls:
– Restrict access to Usermin’s web interface (port 20000 by default)
– Monitor for unusual POST requests to `/uconfig_save.cgi`
– Review logs for command output in HTTP responses
Tenable’s vulnerability database confirms active exploitation attempts as recently as 2021, emphasizing the need for prompt patching even years after disclosure.[6]
Conclusion
CVE-2015-2079 exemplifies the long-term risks in administrative web interfaces, particularly those using Perl’s flexible file handling functions. Its 13-year lifespan before patching underscores the importance of regular code audits for legacy systems. Security teams should prioritize reviewing all web-based administration tools for similar command injection vectors.
References
- “CVE-2015-2079 Detail,” National Vulnerability Database, [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2015-2079
- “Usermin Security Advisory,” Webmin, [Online]. Available: https://webmin.com/security/
- “Usermin 1.660 exploit,” Exploit Database, 2021. [Online]. Available: https://www.exploit-db.com/exploits/50234
- “CVE-2015-2079 Analysis,” Code White, 2015. [Online]. Available: https://code-white.com/blog/2015-05-cve-2015-2079-rce-usermin/
- “Core Security Advisory,” Core Security, [Online]. Available: https://www.coresecurity.com/core-labs/exploits?title=MS15-099&page=57
- “Tenable Vulnerability Report,” Tenable, [Online]. Available: https://www.tenable.com/cve/CVE-2015-2079
