Category Archives: Security Updates

Variation of previously reported vulnerability in older versions of Parallels Plesk Panel

 

A variation is being reported of a previously-reported zero-day vulnerability in older versions of Parallels Plesk Panel. Since the original vulnerability was first reported, the majority of Parallels Plesk Panel customers took the necessary steps to upgrade to a non-vulnerable version of the product.

 

Today only 4% of servers running Parallels Plesk Panel are potentially impacted. This means 96% of Parallels Plesk Panel servers have been updated to a non-vulnerable version of Parallels Plesk Panel.

 

If you are still running Parallels Plesk Panel 9.0 to 9.2, please take the action to upgrade today. There are multiple version options to upgrade to in order to help you secure and protect your customers.

 

How to upgrade

+ The best version to upgrade to is Parallels Plesk Panel 11.0. It has been available for over a year and is the version with the highest deployment rate, lowest support cost, best performance and, of course, highest security.

+ On June 13, 2013, Parallels will launch Parallels Plesk Panel 11.5. This new version will come with additional usability, performance and security benefits.

+ If you cannot upgrade to the latest version, you can update now to Parallels Plesk Panel 9.5.4. This is a direct upgrade through the AutoInstaller. On June 13 you can then upgrade to version 11.5.

 

If you are unable to upgrade at this time, you can apply a script to automatically update your Parallels Plesk Panel for Linux 9.0-9.2.3 server.  You can download that script (wrapper.zip) from the “Attachments” section of http://kb.parallels.com/116241.

 

Details about the vulnerability

 

This vulnerability is not new.  It is a variation of the long-known CVE-2012-1823 vulnerability related to the CGI mode of PHP in selected older and end-of-life versions of Parallels Plesk Panel. The exploit for this vulnerability uses a combination of two issues:

 

+ PHP vulnerability CVE-2012-1823 related to CGI mode used in older versions of Parallels Plesk Panel (http://kb.parallels.com/en/113818)

+ Parallels Plesk Panel phppath script alias usage in Parallels Plesk Panel versions 9.0-9.2

 

All currently supported versions of Parallels Plesk Panel 9.5.4, 10.x and 11.x, as well as Parallels Plesk Automation, are NOT vulnerable. Also, Parallels Plesk Panel 8.x (now end-of-life) is NOT vulnerable.

 

There also are some additional resources to insure that your Parallels Plesk Panel installation is secure, and malware, if present, is removed:

 

+ Parallels has created a comprehensive page on securing Parallels Plesk Panel at http://kb.parallels.com/en/114396

+ Parallels has created a malware removal tool at http://kb.parallels.com/en/115025

 

To stay on top of Parallels security communications please subscribe to our support e-mails by clicking here, subscribe to our RSS feed here and add our Knowledge Base browser plug-in here

 

Adam Bogobowicz, Sr. Director of Product Marketing


Parallels supports Cisco researcher assessment: “website operators and administrators must keep systems up-to-date.”

 

Recently, a Cisco security research analyst used an old Parallels Plesk Panel vulnerability as an example of why it is important to patch servers that may be running old software. His point is valid, and Parallels agrees fully that “the active exploit of this year-old vulnerability serves as an important reminder that website operators and administrators must keep systems up-to-date.”

 

It turns out the exploit this researcher was referring to was (a) for Parallels Plesk Panel 9.3 and earlier – products from 2009 and earlier that are now at end-of-life, and (b) in the 3rd party Horde webmail component, not in the Parallels Plesk control panel itself. A patch was promptly issued by Parallels in February 2012.

 

This reported vulnerability – which certainly is not anything new (considering the patch has been out for over a year), was later confused in some subsequent blogs and comments with another vulnerability in Parallels Plesk 10.3 and earlier versions (products from summer 2011 and earlier) also discovered and fixed in February 2012. Though the current version of Parallels Plesk Panel at that time, 10.4, did not have this vulnerability, Parallels immediately issued a security advisory and patches in February 2012 for all prior impacted versions and advised partners about actions to take. Additionally, Parallels created a comprehensive page on securing Parallels Plesk Panel and a Malware Removal Tool, responding quickly and thoroughly to these exploits.

 

For Parallels partners who install patches and reset passwords, Parallels Plesk Panel is not subject to this vulnerability. Customers running Parallels Plesk Panel 10.4 and 11 never had this vulnerability in the first place.

 

Parallels agrees that the point of the Cisco researcher is still very valid: “The active exploit of this year-old vulnerability serves as an important reminder that website operators and administrators must keep systems up-to-date. This is especially urgent with vulnerabilities that are remotely detectable. This means not just the operating system, but every program and add-on for those programs also needs to be kept up-to-date. A vulnerability left unpatched in any one of them can lead to total system compromise.”

 

We strongly encourage our customers to subscribe to our support e-mails by clicking here, subscribe to our RSS feed here and add our KnowledgeBase browser plug-in here.

 

Parallels Plesk Panel 11 and the upcoming 11.5 are the most secure versions ever, and we strongly encourage our Partners and customers to upgrade to these versions. In Parallels Plesk Panel 11, all Security Updates are clearly reported in the panel. Partners can force Security Updates when they choose. The option to turn on auto-upgrades is also highly recommended for anyone on Parallels Plesk Panel 10 or above.  It is the best way to keep you fully secure.

 

– The Parallels Plesk Panel Team