Vermeintlicher Zero-Day-Exploit für Plesk

[JaEgErmEistEr]

Der Hacker mit dem Pseudonym KingCope hat auf der Security-Mailingliste Full Discloure offenbar einen Zero-Day-Exploit für die Hosting-Software Parallels Plesk veröffentlicht. Seinen Angaben zufolge erlaubt der Exploit das Einschleusen von PHP-Befehlen durch speziell präparierte HTTP-Anfragen. Er will den Exploit erfolgreich an Plesk 9.5.4, 9.3, 9.2, 9.0, 8.6 unter RedHat, CentOS und Fedora getestet haben. Version 11.0.9 sei hingegen nicht betroffen.

Quelle: http://www.heise.de/newsticker/meldung/Vermeintlicher-Zero-Day-Exploit-fuer-Plesk-1883732.html

MOD: Bitte nicht 1:1 kopieren

 

[GwenDragon]

Anfrage auf phppath/php kommen aber schon seit Ende März vor.
Schaut mal in eure Logs.

 

[wstuermer]

Anbei das Security Advisory dazu, was von Parallels vorhin veröffentlicht wurde.

Parallels Customer,
Please read this message in its entirety and take the recommended actions.
Note: Parallels Plesk Panel version 9.3 and later are not impacted.
Situation
Recently there has been number of reports of a “new” zero-day vulnerability in Parallels Plesk Panel. This vulnerability is a variation of the long-known CVE-2012-1823 vulnerability related to the CGI mode of PHP in selected older and end-of-life versions of Parallels Plesk Panel. The exploit for this vulnerability uses a combination of two issues:
• PHP vulnerability CVE-2012-1823 related to CGI mode used in older versions of Parallels Plesk Panel (http://kb.parallels.com/en/113818).
• Parallels Plesk Panel phppath script alias usage in Parallels Plesk Panel versions 9.0-9.2
All currently supported versions of Parallels Plesk Panel 9.5.4, 10.x and 11.x, as well as Parallels Plesk Automation, are NOT vulnerable. Also, Parallels Plesk Panel 8.x (now end-of-life) is NOT vulnerable.
Impact
A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.
Parallels Products Impacted
This vulnerability impacts Parallels Plesk Panel versions 9.0 through 9.2.3. As of early June 2013, these versions represent less than 4% of all Parallels Plesk Panel licenses and these versions are end-of-life (superseded by 9.5.4, which has had a direct upgrade available for over 3 years).
Solution
Customers on Parallels Plesk Panel 9.0 through 9.2.3 should immediately:
• Upgrade to the latest version of Parallels Plesk Panel. Parallels Plesk Panel 11 has been available for over a year. Parallels Plesk Panel 11.5 has many advancements and will be available on June 13, 2013. If you cannot upgrade to the latest version of Parallels Plesk Panel, update to Parallels Plesk Panel 9.5.4 (will end of life and support soon) which has a special php wrapper protecting from the PHP issue, and a solution that avoids the phppath attack vector.
• Update PHP to protect against the CVE-2012-1823 vulnerability (See http://kb.parallels.com/en/113818)
• Protect Parallels Plesk Panel use of phppath used in versions 9.0 – 9.2 as described in overall issue KB: http://kb.parallels.com/116241
Call to Action
Customers are also strongly encouraged to subscribe to our support e-mails by clicking here, subscribe to our RSS feed here and add our Knowledge Base browser plug-in here.
Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.
Additional Resources
• Parallels has created a comprehensive page on securing Parallels Plesk Panel at http://kb.parallels.com/en/114396
• Parallels has created a Malware Removal tool at http://kb.parallels.com/en/115025