Software Engineering Institute

Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user.

Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum.

• Plesk's /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132

• The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133

An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.

Update

Parallel's Plesk Panel advisory states:

Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows:

• Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see KB115944 for more information
• Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see KB115945 for more details
• Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details
• Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details
• Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details
• Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details
• Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details
• Plesk 8.x: affected, EOLed - see Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration

Parallel's Plesk Panel advisory states the following workaround:

Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability.
Below is the example on how to switch mod_php to fast_cgi for all existing domains:
# mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done
After the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache.
For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.