A rash of supply chain attacks hitting open-source software over the past year shows few signs of abating, following the discovery this week of two separate backdoors slipped into a dozen libraries downloaded by hundreds of thousands of server administrators.
The first backdoor to come to light was in Webmin, a Web-based administration tool with more than 1 million installations. Sometime around April of last year, According to Webmin developer Jamie Cameron, someone compromised the server used to develop new versions of the program. The attacker then used the access to distribute a backdoor that was downloaded more than 900,000 times and may have been actively used by tens of thousands of Internet-facing servers.
The unknown attacker made a subtle change to a Webmin script called
password_change.cgi. The change gave attackers the ability to send a command through a special URL that an infected Webmin server would then execute with root privileges. In version 1.890, which had more than 421,000 downloads between June, 2018 and last weekend, the backdoor was turned on by default. On versions 1.90, 1.91, 1.91, and 1.92—which collectively had more than 942,000 downloads—the backdoor was active only when admins changed a default setting that allowed expired passwords to be changed. Backdoored versions were distributed on SourceForge, which is the primary distribution source the Webmin website points to.