[FIX] Remote vulnerability in Plesk Panel
- Parallels Plesk Panel 10.3 for Linux/Unix
- Parallels Plesk Panel 10.2 for Linux/Unix
- Parallels Plesk Panel 10.1 for Linux/Unix
- Parallels Plesk Panel 10.0.x for Linux/Unix
- Parallels Plesk Panel 9.x for Linux/Unix
- Parallels Plesk Panel 8.x for Linux/Unix
- Plesk 7.5.x Reloaded
- Plesk 7.1.x Reloaded
- Plesk 7.0.x
- Parallels Plesk Panel 10.3 for Windows
- Parallels Plesk Panel 10.2 for Windows
- Parallels Plesk Panel 10.1 for Windows
- Parallels Plesk Panel 10.0.x for Windows
- Parallels Plesk Panel 9.x for Windows
- Parallels Plesk Panel 8.x for Windows
- Plesk 7.x for Windows
Disclaimer
This article is created in order to provide the most explicit information in regards to a Plesk Panel remote security vulnerability.
Background Information
An anonymous attacker can remotely compromise Plesk server.
Affected Versions
Plesk versions that were affected by the vulnerability:
- Plesk for Linux / Windows 7.x
- Plesk for Linux / Windows 8.x
- Plesk for Linux / Windows 9.x
- Plesk for Linux / Windows 10.0 – 10.3.1
Parallels takes the security of our Partners very seriously and encourages you to take actions recommended below as soon as possible.
Parallels understands that it may not be plausible at this time to perform a full upgrade to the latest release of Parallels Plesk Panel 11 which is not affected, thus there was a set of Micro-Updates released for each major version affected which will resolve the security issue without the necessity of a system upgrade.
Server Vulnerability Check
In order to check whether your server is subjected to the security vulnerability announced previously please refer to the article that describes the script created by Plesk Service Team to automate the verification procedure:
- 113424 How to make sure if your Plesk Panel 8.x, 9.x, 10.0, 10.1, 10.2 or 10.3 is not vulnerable
Server Vulnerability Fix
If your server is vulnerable, make sure that one of the following Micro-Updates applied immediately:
Plesk Version | Windows | Linux | ||
---|---|---|---|---|
Custom Fix | Micro-Update | Custom Fix | Micro-Update | |
Plesk 8.1 | KB112303 | – | KB113313 | – |
Plesk 8.2 | KB112303 | – | KB113313 | – |
Plesk 8.3 | KB112303 | – | KB113313 | – |
Plesk 8.4 | KB112303 | – | KB113313 | – |
Plesk 8.6.0 | KB112303 | – | – | 8.6.0 MU#2 |
Plesk 9.0 | KB112303 | – | KB113313 | – |
Plesk 9.2.x | KB112303 | – | KB113313 | – |
Plesk 9.3 | KB112303 | – | KB113313 | – |
Plesk 9.5 | KB112303 | 9.5.5 MU#1 | – | 9.5.4 MU#11 |
Plesk 10.0.x | KB112303 | 10.0.1 MU#13 | KB113313 | 10.0.1 MU#13 |
Plesk 10.1 | KB112303 | 10.1.1 MU#22 | KB113313 | 10.1.1 MU#22 |
Plesk 10.2 | KB112303 | 10.2.0 MU#16 | KB113313 | 10.2.0 MU#16 |
Plesk 10.3.1 | – | 10.3.1 MU#5 | – | 10.3.1 MU#5 |
- 9294 Using Microupdates in Parallels Plesk Panel 8.6, 9.5.x, 10.x and Parallels Small Business Panel
Plesk for Virtuozzo Specific
If your Plesk installation runs inside Parallels Virtuozzo Containers virtual environment, Micro-Updates or updated PVC templates should be installed using the following guide:
- 113441 How to install the latest Microupdates for Parallels Plesk Panel to a PVC Linux container
- 113407 New PVC templates for Plesk 8.6.0, 9.5, 10.0, 10.1, 10.2 Windows and regular distribution kit for Plesk 8.6.0 and 9.5.5 Windows versions with included security fixes
- 7110 Microupdates are not applied automatically if Parallels Panel for Linux is installed inside Containers by means of Virtuozzo template
Best Practices
In order to be on a safe side we recommend that you secure your server and your customers’ subscriptions by resetting passwords for all Plesk accounts using the script from Plesk Service Team:
- 113391 Plesk Mass Password Reset Script
AFTER MASS PASSWORDS CHANGING YOU MUST REMOVE ALL RECORDS FROM ‘sessions’ TABLE OF psa DATABASE WITH NEW VERSION OF MASS PASSWORD RESET SCRIPT:
# php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` --clean-up-sessions
If you have a Plesk 8.x or Plesk 9.x server we recommend to migrate it to Plesk 11. Plesk Panel 11 does not have this security vulnerability.
NOTE that a migration should be performed, not an upgrade, because the migration process can be easily rolled back.
Moreover, during migration the source Parallels Plesk Panel server continues working along with sites registered in it, while an upgrade could cause downtime of services.
Additional information
If a corresponding Micro-Update or Custom Fix was installed on your server it will fix the security issue on your server.
We hope that this information will help you to secure data on your server from the malicious attacks.
http://kb.parallels.com/en/114376
SOURCE: http://kb.parallels.com/en/113321