===================================================================== CERT-Renater Note d'Information No. 2012/VULN093 _____________________________________________________________________ DATE : 28/02/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Linux/Unix, Windows running Plesk versions 7.x up to and including 10.3. ====================================================================== http://kb.parallels.com/en/113321 _______________________________________________________________________ [FIX] Remote vulnerability in Plesk Panel Article ID: 113321 Last Review: Feb, 26 2012 Views: APPLIES TO: * Plesk 9.x for Linux/Unix * Plesk 8.x for Linux/Unix * Plesk 9.x for Windows * Plesk 8.x for Windows * Plesk 10.0.x for Windows * Plesk 10.1 for Windows * Plesk 10.2 for Windows * Plesk 10.3 for Windows * Plesk 10.0.x for Linux/Unix * Plesk 10.1 for Linux/Unix * Plesk 10.2 for Linux/Unix * Plesk 10.3 for Linux/Unix Description NOTE: The issue has been completely fixed in Plesk 8.6 MU#2, 9.5 MU#11, 10.3 MU#5, and later versions. NOTE: If you suspect your sever was compromised before you applied the fixes, it's strongly recommended to change passwords of all accounts in Plesk including Plesk 'admin' after applying the fixes. An anonymous attacker can remotely compromise Plesk server. Severity of vulnerability: Critical Access Vector: Network exploitable; victim must voluntarily interact with attack mechanism Access Complexity: easy Authentication: Not required to exploit Impact Type: Allows unauthorized access and modification Vulnerable versions: Parallels Plesk Panel versions 7.6.1 - 10.3.1 Recommended resolution path for providers and large data centers * Update or migrate Plesk to versions for which Micro-Updates with fixes are available * Manual file replacement * Use workaround (see below) Resolution For the versions listed below, apply the fixes from this KB article: http://kb.parallels.com/en/113313. * Plesk 8.1 for Linux/Unix * Plesk 8.2 for Linux/Unix * Plesk 8.3 for Linux/Unix * Plesk 8.4 for Linux/Unix * Plesk 9.0 for Linux/Unix * Plesk 9.2.x for Linux/Unix * Plesk 9.3 for Linux/Unix * Plesk 10.0.x for Linux/Unix * Plesk 10.1 for Linux/Unix * Plesk 10.2 for Linux/Unix For the versions listed below, apply the fixes from this KB article: http://kb.parallels.com/en/112303. * Plesk 8.1 for Windows * Plesk 8.2 for Windows * Plesk 8.3 for Windows * Plesk 8.4 for Windows * Plesk 8.6 for Windows * Plesk 9.0 for Windows * Plesk 9.2 for Windows * Plesk 9.3 for Windows * Plesk 9.5 for Windows For the following versions ... * Plesk 8.6 for Linux * Plesk 9.5.4 for Linux * Plesk 10.0.1 for Linux and Windows * Plesk 10.1.1 for Linux and Windows * Plesk 10.2.0 for Linux and Windows * Plesk 10.3.1 for Linux and Windows ... fixes are provided by the Micro-Updates listed below: * 8.6.0 for Linux only MU#2 - http://kb.parallels.com/en/112181 * 9.5.4 for Linux only MU#11 - http://kb.parallels.com/en/112179 * 10.0.1 for Linux and Windows MU#13 - http://kb.parallels.com/en/113322 * 10.1.1 for Linux and Windows MU#22 - http://kb.parallels.com/en/113323 * 10.2.0 for Linux and Windows MU#16 - http://kb.parallels.com/en/113324 * 10.3.1 for Linux and Windows MU#5 - KB is absent For the remaining versions, it is recommended that you update to at least the next-higher version of the versions listed above. * Plesk 7.x Linux/Windows * Plesk 8.0 Linux ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================