Vulnerability Note VU#310500

Plesk Panel 11.0.9 privilege escalation vulnerabilities

Original Release date: 10 Apr 2013 | Last revised: 30 Jul 2014

Overview

Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.

Description

Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.

Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.

  • Plesk's /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
  • The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133
The CVSS scores below apply to CVE-2013-0133.

Impact

An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.

Solution

Update

Parallel's Plesk Panel advisory states:

    Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:

    • Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see
    KB115944 for more information
    • Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see
    KB115945 for more details
    • Plesk 10.3.1: fixed in MU#20 - see
    KB115959 for more details
    • Plesk 10.2.0: fixed in MU#19 - see
    KB115958 for more details
    • Plesk 10.1.1: fixed in MU#24 - see
    KB115957 for more details
    • Plesk 10.0.1: fixed in MU#18 - see
    KB115956 for more details
    • Plesk 9.5.4: fixed in MU#28 - see
    KB115946 for more details
    • Plesk 8.x: affected, EOLed - see
    Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration

Parallel's Plesk Panel advisory states the following workaround:

    Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.
    Below is the example on how to switch mod_php to fast_cgi for all existing domains:
    # mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done
    After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.
    For additional details, please refer to
    Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Parallels Holdings LtdAffected08 Feb 201325 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 4.5 E:U/RL:OF/RC:UC
Environmental 3.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2013-0132 CVE-2013-0133
  • Date Public: 10 Apr 2013
  • Date First Published: 10 Apr 2013
  • Date Last Updated: 30 Jul 2014
  • Document Revision: 25

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.