{"vuid":"VU#310500","idnumber":"310500","name":"Plesk Panel 11.0.9 privilege escalation vulnerabilities","keywords":["Plesk Panel","privilege escalation"],"overview":"Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities.","clean_desc":"Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user. Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum. Plesk's /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132 The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133\nThe CVSS scores below apply to CVE-2013-0133.","impact":"An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user.","resolution":"Update Parallel's Plesk Panel advisory states: Parallels is actively working on security updates for these issues. The ETAs for these updates are as follows: •    Plesk 11: fixed in MU#46 (shows up as a Security fix – red – in all Plesk 11 versions) - see KB115944 for more information\n•    Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in Panel) - see KB115945 for more details\n•    Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details\n•    Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details\n•    Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details\n•    Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details\n•    Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details\n•    Plesk 8.x: affected, EOLed - see Installation, Upgrade, Migration, and Transfer Guide. Parallels Plesk Panel 11.0 for more details about the Panel upgrade/migration","workarounds":"Parallel's Plesk Panel advisory states the following workaround: Disable mod_php, mod_python, and mod_perl and use Fast CGI and/or CGI, which are not affected by this security vulnerability. Below is the example on how to switch mod_php to fast_cgi for all existing domains: # mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e \"select name from domains where htype = 'vrt_hst';\" | awk -F \\| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done\nAfter the fix for the issue is published, Parallels still recommends that you avoid using these Apache modules (mod_php, mod_python, and mod_perl) and instead use Fast CGI or CGI modes for improved security on Apache. For additional details, please refer to Parallels Plesk Panel for Linux Advanced Administration Guide, Enhancing Security.","sysaffected":"","thanks":"Thanks to Ronald Volgers of Pine Digital Security for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["http://www.parallels.com/products/plesk/","http://kb.parallels.com/115942"],"cveids":["CVE-2013-0132","CVE-2013-0133"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-02-07T19:39:06Z","publicdate":"2013-04-10T00:00:00Z","datefirstpublished":"2013-04-10T17:39:11Z","dateupdated":"2014-07-30T16:56:51Z","revision":25,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.8","cvss_basevector":"AV:L/AC:L/Au:S/C:C/I:C/A:C","cvss_temporalscore":"4.5","cvss_environmentalscore":"3.3791031138816","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}