Executive Summary

Summary
Title Plesk Panel 11.0.9 privilege escalation vulnerabilities
Informations
Name VU#310500 First vendor Publication 2013-04-10
Vendor VU-CERT Last vendor Modification 2013-04-25
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#310500

Plesk Panel 11.0.9 privilege escalation vulnerabilities

Original Release date: 10 Apr 2013 | Last revised: 25 Apr 2013

Overview

Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.

Description

Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.

Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.

  • Plesk's /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
  • The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133

Impact

An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.

Solution

Update

Parallel's Plesk Panel advisory states:

    Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:

    • Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see     KB115944 for more information
    • Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see     KB115945 for more details
    • Plesk 10.3.1: fixed in MU#20 - see     KB115959 for more details
    • Plesk 10.2.0: fixed in MU#19 - see     KB115958 for more details
    • Plesk 10.1.1: fixed in MU#24 - see     KB115957 for more details
    • Plesk 10.0.1: fixed in MU#18 - see     KB115956 for more details
    • Plesk 9.5.4: fixed in MU#28 - see     KB115946 for more details
    • Plesk 8.x: affected, EOLed - see     Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration

Parallel's Plesk Panel advisory states the following workaround:

    Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.
    Below is the example on how to switch mod_php to fast_cgi for all existing domains:
    # mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done
    After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.
    For additional details, please refer to     Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Parallels Holdings LtdAffected08 Feb 201325 Apr 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base4.4AV:L/AC:M/Au:S/C:C/I:N/A:N
Temporal3.4E:U/RL:U/RC:UC
Environmental1.0CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://www.parallels.com/products/plesk/
  • http://kb.parallels.com/115942

Credit

Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:CVE-2013-0132CVE-2013-0133
  • Date Public:10 Apr 2013
  • Date First Published:10 Apr 2013
  • Date Last Updated:25 Apr 2013
  • Document Revision:17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/310500

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2013-05-16 17:18:15
  • Multiple Updates
2013-05-11 05:18:24
  • Multiple Updates
2013-04-25 21:20:11
  • Multiple Updates
2013-04-25 21:18:26
  • Multiple Updates
2013-04-19 17:20:23
  • Multiple Updates
2013-04-19 00:20:16
  • Multiple Updates
2013-04-10 21:18:31
  • First insertion