Overview

Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.

Description

Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.

Special-case rules in Plesk’s custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.

* Plesk's `/usr/sbin/suexec` binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
* The program` /usr/local/psa/admin/sbin/wrapper` allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133

The CVSS scores below apply to CVE-2013-0133.

Impact

An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.

---

Solution

Update

Parallel’s Plesk Panel advisory states:

_Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:

• Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see __KB115944 __for more information
• Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see __KB115945 __for more details
• Plesk 10.3.1: fixed in MU#20 - see __KB115959 __for more details
• Plesk 10.2.0: fixed in MU#19 - see __KB115958 __for more details
• Plesk 10.1.1: fixed in MU#24 - see __KB115957 __for more details
• Plesk 10.0.1: fixed in MU#18 - see __KB115956 __for more details
• Plesk 9.5.4: fixed in MU#28 - see __KB115946 __for more details
• Plesk 8.x: affected, EOLed - see __Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 _for more details about the Panel upgrade/migration

---

Parallel’s Plesk Panel advisory states the following workaround:

_Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.
Below is the example on how to switch mod_php to fast_cgi for all existing domains:

mysql -uadmin --skip-column-names -pcat /etc/psa/.psa.shadow psa -e “select name from domains where htype = ‘vrt_hst’;” | awk -F | ‘{print $1}’ | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done

After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.
For additional details, please refer to _Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

---

Vendor Information

310500

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Parallels Holdings Ltd Affected

Notified: February 08, 2013 Updated: April 25, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://kb.parallels.com/115942&gt;

CVSS Metrics

Group	Score	Vector
Base	6.8	AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal	4.5	E:U/RL:OF/RC:UC
Environmental	3.4	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://www.parallels.com/products/plesk/&gt;
• <http://kb.parallels.com/115942&gt;

Acknowledgements

Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2013-0132, CVE-2013-0133
Date Public:	2013-04-10 Date First Published: