CVE-2021-31760: Webmin CSRF to RCE Vulnerability

CVE-2021-31760 Overview

CVE-2021-31760 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Webmin version 1.973 that can be chained to achieve Remote Command Execution (RCE). The vulnerability exists in Webmin's running process feature, allowing attackers to craft malicious requests that execute arbitrary commands on the target server when an authenticated administrator visits a specially crafted page.

Critical Impact

This vulnerability allows unauthenticated attackers to execute arbitrary commands with the privileges of the Webmin service (typically root) by tricking an authenticated administrator into visiting a malicious webpage, leading to complete system compromise.

Affected Products

• Webmin 1.973

Discovery Timeline

• April 25, 2021 - CVE-2021-31760 published to NVD
• November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-31760

Vulnerability Analysis

This vulnerability combines two dangerous attack techniques: Cross-Site Request Forgery (CSRF) and Remote Command Execution. Webmin's running process feature lacks proper CSRF protections, allowing malicious actors to submit forged requests on behalf of authenticated administrators. When an administrator with an active Webmin session visits a malicious webpage, the attacker can leverage this weakness to execute system commands through the process management functionality.

The attack requires no prior authentication from the attacker—only that a victim administrator be logged into Webmin and visit an attacker-controlled page. Given that Webmin typically runs with elevated privileges to manage system services, successful exploitation grants the attacker root-level command execution capabilities on the underlying server.

Root Cause

The root cause of CVE-2021-31760 is the absence of CSRF protection tokens in the running process feature of Webmin. The application fails to validate that requests to execute processes originate from legitimate user actions within the Webmin interface. Without anti-CSRF tokens or proper origin validation, the server cannot distinguish between legitimate administrative requests and forged requests initiated by malicious external websites.

Attack Vector

The attack is network-based and requires user interaction—specifically, an authenticated Webmin administrator must visit a malicious webpage while logged in. The attacker crafts an HTML page containing hidden forms or JavaScript that automatically submits requests to the victim's Webmin instance. These requests target the process execution functionality, passing attacker-controlled command parameters. Because the victim's browser automatically includes authentication cookies with the request, Webmin processes it as a legitimate administrative action.

The attack flow is as follows: The attacker hosts a malicious page containing auto-submitting forms targeting the Webmin running process endpoint. When an authenticated administrator visits this page, their browser sends the forged request with valid session credentials. Webmin executes the command specified in the request, granting the attacker remote code execution with Webmin's privileges.

For technical details and proof-of-concept implementations, see the GitHub PoC Repository and the GitHub Exploit Repository.

Detection Methods for CVE-2021-31760

Indicators of Compromise

• Unexpected process executions initiated through Webmin's process management interface
• Webmin access logs showing requests to process execution endpoints with unusual referrer headers or from external origins
• Authentication sessions with anomalous activity patterns, particularly command execution immediately following external page visits
• Reverse shell connections or outbound network connections from the Webmin server to unknown IP addresses

Detection Strategies

• Monitor Webmin access logs for requests to /proc/run.cgi or similar process execution endpoints with external or missing Referer headers
• Implement network-based detection for HTTP requests to Webmin that originate from cross-origin sources
• Configure SIEM rules to alert on command execution activity in Webmin that correlates with suspicious browsing patterns
• Deploy endpoint detection solutions to identify unexpected child processes spawned by the Webmin service

Monitoring Recommendations

• Enable detailed access logging in Webmin and forward logs to a centralized SIEM solution
• Implement browser-based security controls to prevent cross-origin form submissions to internal administrative interfaces
• Monitor for unusual outbound connections from servers running Webmin, particularly to untrusted IP addresses
• Establish baseline behavior for Webmin process execution and alert on deviations

How to Mitigate CVE-2021-31760

Immediate Actions Required

• Upgrade Webmin to the latest version that includes CSRF protections
• Restrict network access to Webmin administrative interfaces using firewall rules or VPN requirements
• Ensure administrators only access Webmin from trusted, isolated browser sessions
• Implement additional authentication layers such as IP whitelisting or multi-factor authentication for Webmin access

Patch Information

Organizations should upgrade to a patched version of Webmin that addresses the CSRF vulnerability. Check the Webmin Project Repository for the latest releases and security updates. Given the severity of this vulnerability allowing unauthenticated remote code execution, patching should be treated as a critical priority.

Workarounds

• Restrict Webmin access to trusted IP addresses only via firewall rules or Webmin's built-in IP access control
• Disable the running process feature if not required for operations
• Use a dedicated browser profile for Webmin administration that has no other tabs or sessions open
• Deploy a reverse proxy with additional CSRF protection headers in front of Webmin

# Example: Restrict Webmin access to specific IP addresses using iptables
iptables -A INPUT -p tcp --dport 10000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j DROP