search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Plesk Panel 11.0.9 privilege escalation vulnerabilities

Vulnerability Note VU#310500

Original Release Date: 2013-04-10 | Last Revised: 2014-07-30

Overview

Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.

Description

Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.

Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.

    • Plesk's /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
    • The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133
The CVSS scores below apply to CVE-2013-0133.

Impact

An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.

Solution

Update

Parallel's Plesk Panel advisory states:

Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:

• Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see
KB115944 for more information
• Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see
KB115945 for more details
• Plesk 10.3.1: fixed in MU#20 - see
KB115959 for more details
• Plesk 10.2.0: fixed in MU#19 - see
KB115958 for more details
• Plesk 10.1.1: fixed in MU#24 - see
KB115957 for more details
• Plesk 10.0.1: fixed in MU#18 - see
KB115956 for more details
• Plesk 9.5.4: fixed in MU#28 - see
KB115946 for more details
• Plesk 8.x: affected, EOLed - see
Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration

Parallel's Plesk Panel advisory states the following workaround:


Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.
Below is the example on how to switch mod_php to fast_cgi for all existing domains:
# mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done
After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.
For additional details, please refer to
Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

Vendor Information

310500
 
Affected   Unknown   Unaffected

Parallels Holdings Ltd

Notified:  February 08, 2013 Updated:  April 25, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 4.5 E:U/RL:OF/RC:UC
Environmental 3.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2013-0132, CVE-2013-0133
Date Public: 2013-04-10
Date First Published: 2013-04-10
Date Last Updated: 2014-07-30 16:56 UTC
Document Revision: 25

Sponsored by CISA.