7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.006 Low
EPSS
Percentile
78.2%
Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.
Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.
Special-case rules in Pleskās custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.
* Plesk's `/usr/sbin/suexec` binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
* The program` /usr/local/psa/admin/sbin/wrapper` allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133
An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.
Update
Parallelās Plesk Panel advisory states:
_Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:
ā¢ Plesk 11: fixed in MU#46 (shows up as a Security fix ā red ā in all Plesk 11 versions) - see __KB115944 __for more information
ā¢ Plesk 10.4.4: fixed in MU#49 (shows up as an Update ā MU ā in Panel) - see __KB115945 __for more details
ā¢ Plesk 10.3.1: fixed in MU#20 - see __KB115959 __for more details
ā¢ Plesk 10.2.0: fixed in MU#19 - see __KB115958 __for more details
ā¢ Plesk 10.1.1: fixed in MU#24 - see __KB115957 __for more details
ā¢ Plesk 10.0.1: fixed in MU#18 - see __KB115956 __for more details
ā¢ Plesk 9.5.4: fixed in MU#28 - see __KB115946 __for more details
ā¢ Plesk 8.x: affected, EOLed - see __Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 _for more details about the Panel upgrade/migration
Parallelās Plesk Panel advisory states the following workaround:
_Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.
Below is the example on how to switch mod_php to fast_cgi for all existing domains:
cat /etc/psa/.psa.shadow
psa -e āselect name from domains where htype = āvrt_hstā;ā | awk -F | ā{print $1}ā | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; doneAfter the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.
For additional details, please refer to _Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.
310500
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 08, 2013 Updated: April 25, 2013
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C |
Temporal | 4.5 | E:U/RL:OF/RC:UC |
Environmental | 3.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2013-0132, CVE-2013-0133 |
---|---|
Date Public: | 2013-04-10 Date First Published: |