Search

Language:  
Search for:

Available article translations:

Public issues VU#310500, CVE-2013-0132, CVE-2013-0133

APPLIES TO:
  • Parallels Plesk 11.x for Linux
  • Parallels Plesk 10.x for Linux
  • Parallels Plesk 9.x for Linux/Unix
  • Parallels Plesk 8.x for Linux/Unix

Background
 
Parallels Plesk Panel privilege escalation vulnerabilities have been discovered and are described in VU#310500, CVE-2013-0132, and CVE-2013-0133 (CVSS score 4.4 - http://www.kb.cert.org/vuls/id/310500).

The following versions of Parallels Plesk Panel for Linux are confirmed to be vulnerable: 9.5, 10.x, and 11.x. While there is no known exploit for the above vulnerabilities, Parallels strongly recommends taking action and applying the security updates (or workaround) described in this article.
 

Details
 
Parallels Plesk Panel versions 9.x to 11.x with Apache web server running mod_php, mod_perl, mod_python, etc., are vulnerable to authenticated user privilege escalation. Authenticated users are users that have logins to Parallels Plesk Panel (such as your customers, resellers, or your employees).
 
Parallels Plesk Panel instances with Apache web server configured with Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.) are NOT vulnerable.
 
For security reasons, Parallels has recommended and continues to recommend Fast CGI (for PHP, python, perl, etc.) and CGI (perl, python, PHP, etc.) over mod_php, mod_perl, mod_python, etc.


Current Status

Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:
 
•    Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see KB115944 for more information

•    Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see KB115945 for more details
•    Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details
•    Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details
•    Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details
•    Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details

•    Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details

•    Plesk 8.x: affected, EOLed - see Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration


Immediate Workaround

Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.

Below is the example on how to switch mod_php to fast_cgi for all existing domains:

# mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done

After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.

For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.



1d151d16e47c6f92bbf62d50eb32c4a2 56797cefb1efc9130f7c48a7d1db0f0c c81e59b61af9dca603ba03b14aabe968 9f8baf78266b4e54525d1c6bf06305a5 12c6f6bd6775cb701defb57d79fe96f6 824237ce663843af86f93897fbd8e2f8 bdfc2fcfd33015dce037e3597d1fb50c

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 9 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification