Search

Language:  
Search for:

Available article translations:

[FIX] Older Plesk Versions - Remote vulnerability in Plesk Panel (CVE-2012-1557)

APPLIES TO:
  • Parallels Plesk Panel 10.3 for Linux/Unix
  • Parallels Plesk Panel 10.2 for Linux/Unix
  • Parallels Plesk Panel 10.1 for Linux/Unix
  • Parallels Plesk Panel 10.0.x for Linux/Unix
  • Parallels Plesk Panel 9.x for Linux/Unix
  • Parallels Plesk Panel 8.x for Linux/Unix
  • Plesk 7.5.x Reloaded
  • Plesk 7.1.x Reloaded
  • Plesk 7.0.x
  • Parallels Plesk Panel 10.3 for Windows
  • Parallels Plesk Panel 10.2 for Windows
  • Parallels Plesk Panel 10.1 for Windows
  • Parallels Plesk Panel 10.0.x for Windows
  • Parallels Plesk Panel 9.x for Windows
  • Parallels Plesk Panel 8.x for Windows
  • Plesk 7.x for Windows

Disclaimer

This article is created in order to provide the most explicit information in regards to a Plesk Panel remote security vulnerability (CVE-2012-1557). 

Background Information

An anonymous attacker can remotely compromise Plesk server.

Affected Versions

Plesk versions that were affected by the vulnerability:

  • Plesk for Linux / Windows 7.x
  • Plesk for Linux / Windows 8.x
  • Plesk for Linux / Windows 9.x
  • Plesk for Linux / Windows 10.0 - 10.3.1

Parallels takes the security of our Partners very seriously and encourages you to take actions recommended below as soon as possible.
Parallels understands that it may not be plausible at this time to perform a full upgrade to the latest release of Parallels Plesk Panel 11 which is not affected, thus there was a set of Micro-Updates released for each major version affected which will resolve the security issue without the necessity of a system upgrade. 

Server Vulnerability Check

In order to check whether your server is subjected to the security vulnerability announced previously please refer to the article that describes the script created by Plesk Service Team to automate the verification procedure:

  • 113424 How to make sure if your Plesk Panel 8.x, 9.x, 10.0, 10.1, 10.2 or 10.3 is not vulnerable

Server Vulnerability Fix

If your server is vulnerable, make sure that one of the following Micro-Updates applied immediately:
 

Plesk Version Windows Linux
  Custom Fix Micro-Update Custom Fix Micro-Update
Plesk 8.1 KB112303 - KB113313 -
Plesk 8.2 KB112303 - KB113313 -
Plesk 8.3 KB112303 - KB113313 -
Plesk 8.4 KB112303 - KB113313 -
Plesk 8.6.0 KB112303 - - 8.6.0 MU#2
Plesk 9.0 KB112303 - KB113313 -
Plesk 9.2.x KB112303 - KB113313 -
Plesk 9.3 KB112303 - KB113313 -
Plesk 9.5 KB112303 9.5.5 MU#1 - 9.5.4 MU#11
Plesk 10.0.x KB112303 10.0.1 MU#13 KB113313 10.0.1 MU#13
Plesk 10.1 KB112303 10.1.1 MU#22 KB113313 10.1.1 MU#22
Plesk 10.2 KB112303 10.2.0 MU#16 KB113313 10.2.0 MU#16
Plesk 10.3.1 - 10.3.1 MU#5 - 10.3.1 MU#5

 

The complete guide for applying Microupdates you can find on the following link: 
  • 9294 Using Microupdates in Parallels Plesk Panel 8.6, 9.5.x, 10.x and Parallels Small Business Panel

Plesk for Virtuozzo Specific

If your Plesk installation runs inside Parallels Virtuozzo Containers virtual environment, Micro-Updates or updated PVC templates should be installed using the following guide:

  • 113441 How to install the latest Microupdates for Parallels Plesk Panel to a PVC Linux container
  • 113407 New PVC templates for Plesk 8.6.0, 9.5, 10.0, 10.1, 10.2 Windows and regular distribution kit for Plesk 8.6.0 and 9.5.5 Windows versions with included security fixes
  • 7110 Microupdates are not applied automatically if Parallels Panel for Linux is installed inside Containers by means of Virtuozzo template

Best Practices

In order to be on a safe side we recommend that you secure your server and your customers' subscriptions by resetting passwords for all Plesk accounts using the script from Plesk Service Team: 

  • 113391 Plesk Mass Password Reset Script
AFTER MASS PASSWORDS CHANGING YOU MUST REMOVE ALL RECORDS FROM 'sessions' TABLE OF psa DATABASE WITH NEW VERSION OF MASS PASSWORD RESET SCRIPT:
# php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` --clean-up-sessions

If you have a Plesk 8.x or Plesk 9.x server we recommend to migrate it to Plesk 11. Plesk Panel 11 does not have this security vulnerability. 
NOTE that a migration should be performed, not an upgrade, because the migration process can be easily rolled back. 
Moreover, during migration the source Parallels Plesk Panel server continues working along with sites registered in it, while an upgrade could cause downtime of services. 

Additional information

If a corresponding Micro-Update or Custom Fix was installed on your server it will fix the security issue on your server.

We hope that this information will help you to secure data on your server from the malicious attacks.




56797cefb1efc9130f7c48a7d1db0f0c aa571057eefb4e790d223bad9e05ace1 49af2da0f2dd4c81e962790bbbd0c2b4 5d735c0e028ee5b991e4fb80d34fb87f c9a51db9739ff1afe0e40fbfb2f7491d 5fc602d72ea565f353b9320e2ef62a1b 097728dc0a325f6309aa7a3997d4cacc 6eab23e8dac1eb5df9820a41f94cf4b4 baf3ffb3f4771d9f3c5094df503ea368 04f1b0f9f311a40f2f06e7821a7faf9a ec6d78150f157dcf9ef9cca1654d860c 30b2fddafb3ec6d8d3f95576137b69ff d3cd9f1770da96e5b5046d20def9f8eb 75b59b1c6cdbaf382ebb2e4d11777032 c0c38d2367acfa8909699e0b34b01dea f34c301469402e4fb8cff760727ce92d 0324051e74e0392d1551a3b559b09eaa fd2f83f736e58255ea0836b5dd83359f 99bfbb1abb76fd70a8583a97a5819f9f 9eb1bc941bc9029c8964d2aa762a0c64 1aa1c890c6389095129322a3a7c695a6 9bdfc6d5b1cfb9e0945a156597f8e6d3

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 8 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification