Plesk Compromise

From arstechnica.com

Parallels KB article:
http://kb.parallels.com/116241

“The exploit for this vulnerability uses a combination of the 2 issues:
– PHP vulnerability CVE-2012-1823 related to CGI mode used in older Plesks (http://kb.parallels.com/en/113818).
– Plesk phppath script alias usage in Plesk versions 9.0 – 9.2

A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.

Parallels Plesk Panel 9.0 through 9.2.3 versions on Linux platform only. These are less than 4% of all Plesk Panel licenses, and these versions are end-of-life and unsupported (superseded by 9.5.4, which has been a direct upgrade available for over 3 years).”


Proposed resolution

back up and remove this line from the following file:

/etc/httpd/conf.d/php_cgi.conf:scriptAlias /phppath/ "/usr/bin/"

-OR, preferably:-

upgrade customer to Plesk 9.5.4 – further upgrades would require kicking a new server and a migration due to database changes and the Postfix/Qmail (package) upgrade issue in 10.x


Customers on Plesk Panel 9.0 through 9.2.3 should:

• Upgrade to the latest version of Plesk. Plesk 11 has been available for one year now. Plesk 11.5 has many improvements and will be available on June 13. Worst case, update to Plesk Panel 9.5.4 (will end of life soon) which has a special php wrapper protecting from the PHP issue, along with a solution that avoids the phppath attack vector.

• Update PHP to protect against CVE-2012-1823 vulnerability (See http://kb.parallels.com/en/113818)

• Parallels has prepared a script for automatic updating the server, if Plesk Panel update is not possible.
Download the archived script wrapper from the attachment on the server with Parallels Plesk Panel for Linux 9.0 – 9.2.3.
Extract the archive and execute the script:
# wget http://kb.parallels.com/Attachments/25053/Attachments/wrapper.zip
# unzip wrapper.zip
# cd wrapper
# bash install.sh

 
All currently supported versions of Parallels Plesk Panel 9.5.4, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable. Also, Plesk 8.x (now end-of-life) is not vulnerable.

If a customer is using legacy and no longer supported version of Parallels Plesk Panel they should upgrade to the latest version.

Parallels reminds Plesk users that timely updates of an Operating System as well as Plesk itself are very important and required for your system security.

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....