Parallels Plesk Panel 9.x, 10.x, 11.x – Privilege Escalation Vulnerability

Parallels Customer,
Please read this message in its entirety and take the recommended actions.

Situation

Parallels Plesk Panel privilege escalation vulnerabilities have been discovered and are described in VU#310500 and CVE-2013-0132, CVE-2013-0133 (CVSS score 4.4 – http://www.kb.cert.org/vuls/id/310500).

Impact

This impacts Parallels Plesk Panel for Linux versions 9.x, 10.x, 11.x.

You are at risk if you have Apache web server running mod_php, mod_perl, mod_python, etc.

You are NOT at risk if you have Apache web server running Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.).

Solution

Parallels has issued security updates for Parallels Plesk Panel versions 9.x-11.x. The security updates for Parallels Plesk Panel 11.x and Parallels Plesk Panel 10.4.4 will automatically appear inside your Parallels Plesk Panel control panel – please apply them as soon as possible.

The security hotfix for Parallels Plesk 9.x is available for download here: http://kb.parallels.com/115942.

Workaround

Parallels understands that it’s not always practical for immediate upgrades, so we have provided a solution to fix this vulnerability. For the immediate solution, customers should read this knowledge base article for instructions: http://kb.parallels.com/115942.

Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

Customers are also strongly encouraged to subscribe to our support e-mails by clicking here, subscribe to our RSS feed here and add our Knowledge Base browser plug-in here.

Having a control panel like Parallels Plesk Panel makes managing a server much easier. It removes the mystery of running command lines to do things like set up user accounts, websites, and databases. In short, for a novice, it makes the impossible really simple.

If you still need some convincing, Parallels was kind enough to provide us with a clear list of the benefits of Parallels Plesk Panel here. If you’re reading this, chances are you’re interested in the Website Owners section.

Attackers use this misconfiguration to perform DNS attacks against other Internet services. For more information on these attacks, please see this blog post.

To prevent these attacks they need to reconfigure and lock down their DNS servers. For more information see these articles:

How do I disable recursive DNS queries on my Windows Dedicated or Virtual Private Server?

How do I disable recursive DNS queries on my Windows server with Parallels Plesk Panel?

How do I disable recursive DNS queries on my Linux VPS or Dedicated Server?

Disabling Recursive DNS in the Parallels Plesk Panel

What Risks Are Associated with Recursive DNS Queries?

We’re excited to announce the re-branding for two of our core hosting products. Virtual Dedicated Servers are now called Go Daddy VPS (Virtual Private Servers) and 4GH is Go Daddy Web Hosting.

These new product names now display inside the Products section of your account manager.

Here’s some great news: By applying this new MicroUpdate, all previous MicroUpdates are also applied to Plesk.

We are emailing our customers who need to install these updates. Please refer to this Knowledge Base article for MicroUpdate installation instructions.

Running older versions of Plesk can also open your server to malicious outbound flooding attacks. Avoid these security vulnerabilities and keep your control panel updated. You can install the latest micro-update patches from your Plesk control panel. For more information, click here.

For more information about upgrading Plesk, check out the Parallels® Plesk Panel 10.4: Installation and Upgrade Guide.

There is a patch to resolve the vulnerability, but it might require an upgrade to your current version of Plesk.

Here’s information from Parallels that you can use to get started. The instructions vary based on the version and operating system of Plesk you use.

If you’re already running 10.4, you’re already protected from this vulnerability.

Customers brought this issue to our attention and it was escalated to our advanced support team today at 9 a.m. Our team diagnosed the issue, and restored service for most users by 9:30am, with a very small number of users affected for a short time afterward.

We apologize if you were affected. We are working with our security vendor to correct these filters and ensure they are correct in the future.

• Maintenance begins Friday at 10 p.m. MST.
• Chat will be completely inaccessible until 11 p.m. MST.
• Users might experience intermittent service interruptions until Saturday at 3 a.m. MST.

Thanks for your patience as we upgrade our servers.

• Go Daddy already supports AAAA records, which are IPv6′s equivalent to IPv4′s A records that store your domain name’s IP addresses, starting way back in October of 2007.
• Since August 2008, we’ve also supported Glue records, which let you use your domain name as a nameserver with IPv6.
• ARIN, RIPE, and APNIC have each assigned us a /32 (a large range of IPv6 addresses). To be exact, each /32 is 79 nonillion (7.9×10²⁸) IP addresses, so having a “large range” is a bit of an understatement.
• All of our data centers have redundant IPv6 transit from multiple providers now. This means we support IPV6 today, even though we haven’t enabled it on our customer-facing servers yet.

There’s more coming soon, too. We’ll have DNS running a dual stack (that’s simultaneous IPv4 and IPv6 support). We’ll have IPv6 on our Dedicated, Virtual Dedicated, and Fourth-Generation Web Hosting (4GH™). All of our websites and products will use it. This is just the beginning. We want to assure you that we’re on top of it, and doing everything we can to time our implementation just right to provide you with the IPv6 services you need without a hassle.