Apr 17th, 2013
A new Parallels Plesk Panel privilege escalation vulnerabilities have been discovered (VU#310500 and CVE-2013-0132, CVE-2013-0133)
- Plesk’s /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary ‘cgi-wrapper’, bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper’s function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
- The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133
Parallels Plesk Panel versions 9.x-11.x with Apache web server running mod_php, mod_perl, mod_python, etc. is vulnerable to authenticated user privilege escalation. Authenticated users are users that have login to Parallels Plesk Panel (such as f.e. your customers, resellers, or your employees).
Patching the server with the latest MU’s is extremely mandatory.
We highly suggest purchasing our Full Security Audit plan to update/patch and confirm your server hasn’t been compromised.
Should you have further questions please don’t hesitate to contact our Customer Support Team available 24/7 !