A variation is being reported of a previously-reported zero-day vulnerability in older versions of Parallels Plesk Panel. Since the original vulnerability was first reported, the majority of Parallels Plesk Panel customers took the necessary steps to upgrade to a non-vulnerable version of the product.
Today only 4% of servers running Parallels Plesk Panel are potentially impacted. This means 96% of Parallels Plesk Panel servers have been updated to a non-vulnerable version of Parallels Plesk Panel.
If you are still running Parallels Plesk Panel 9.0 to 9.2, please take the action to upgrade today. There are multiple version options to upgrade to in order to help you secure and protect your customers.
How to upgrade
+ The best version to upgrade to is Parallels Plesk Panel 11.0. It has been available for over a year and is the version with the highest deployment rate, lowest support cost, best performance and, of course, highest security.
+ On June 13, 2013, Parallels will launch Parallels Plesk Panel 11.5. This new version will come with additional usability, performance and security benefits.
+ If you cannot upgrade to the latest version, you can update now to Parallels Plesk Panel 9.5.4. This is a direct upgrade through the AutoInstaller. On June 13 you can then upgrade to version 11.5.
If you are unable to upgrade at this time, you can apply a script to automatically update your Parallels Plesk Panel for Linux 9.0-9.2.3 server. You can download that script (wrapper.zip) from the “Attachments” section of http://kb.parallels.com/116241.
Details about the vulnerability
This vulnerability is not new. It is a variation of the long-known CVE-2012-1823 vulnerability related to the CGI mode of PHP in selected older and end-of-life versions of Parallels Plesk Panel. The exploit for this vulnerability uses a combination of two issues:
+ PHP vulnerability CVE-2012-1823 related to CGI mode used in older versions of Parallels Plesk Panel (http://kb.parallels.com/en/113818)
+ Parallels Plesk Panel phppath script alias usage in Parallels Plesk Panel versions 9.0-9.2
All currently supported versions of Parallels Plesk Panel 9.5.4, 10.x and 11.x, as well as Parallels Plesk Automation, are NOT vulnerable. Also, Parallels Plesk Panel 8.x (now end-of-life) is NOT vulnerable.
There also are some additional resources to insure that your Parallels Plesk Panel installation is secure, and malware, if present, is removed:
+ Parallels has created a comprehensive page on securing Parallels Plesk Panel at http://kb.parallels.com/en/114396
+ Parallels has created a malware removal tool at http://kb.parallels.com/en/115025
Adam Bogobowicz, Sr. Director of Product Marketing