Search

Language:  
Search for:

Available article translations:

Public issues VU#310500, CVE-2013-0132, CVE-2013-0133

APPLIES TO:
  • Parallels Plesk Panel 11.x for Linux
  • Parallels Plesk Panel 10.x for Linux
  • Parallels Plesk Panel 9.x for Linux/Unix
  • Parallels Plesk Panel 8.x for Linux/Unix

Background
 
Parallels Plesk Panel privilege escalation vulnerabilities have been discovered and are described in VU#310500, CVE-2013-0132, and CVE-2013-0133 (CVSS score 4.4 - http://www.kb.cert.org/vuls/id/310500).

The following versions of Parallels Plesk Panel for Linux are confirmed to be vulnerable: 9.5, 10.x, and 11.x. While there is no known exploit for the above vulnerabilities, Parallels strongly recommends taking action and applying the security updates (or workaround) described in this article.
 

Details
 
Parallels Plesk Panel versions 9.x to 11.x with Apache web server running mod_php, mod_perl, mod_python, etc., are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Parallels Plesk Panel (such as your customers, resellers, or your employees).
 
Parallels Plesk Panel instances with Apache web server configured with Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.) are NOT vulnerable.
 
For security reasons, Parallels has recommended and continues to recommend Fast CGI (for PHP, python, perl, etc.) and CGI (perl, python, PHP, etc.) over mod_php, mod_perl, mod_python, etc.


Current Status

Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:
 
•    Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see KB115944 for more information

•    Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see KB115945 for more details
•    Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details
•    Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details
•    Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details
•    Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details

•    Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details

•    Plesk 8.x: affected, EOLed - see Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration


Immediate Workaround

Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.

Below is the example on how to switch mod_php to fast_cgi for all existing domains:

# mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done

After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.

For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.



0324051e74e0392d1551a3b559b09eaa 56797cefb1efc9130f7c48a7d1db0f0c 49af2da0f2dd4c81e962790bbbd0c2b4 5d735c0e028ee5b991e4fb80d34fb87f 6eab23e8dac1eb5df9820a41f94cf4b4 c7658ac2f68d6572a213687c1077afff 75b59b1c6cdbaf382ebb2e4d11777032

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 9 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification