This article is created in order to provide the most explicit information in regards to a Plesk remote security vulnerability (CVE-2012-1557).
An anonymous attacker can remotely compromise Plesk server.
Plesk versions that were affected by the vulnerability:
- Plesk for Linux / Windows 7.x
- Plesk for Linux / Windows 8.x
- Plesk for Linux / Windows 9.x
- Plesk for Linux / Windows 10.0 - 10.3.1
Plesk team takes the security of our Partners very seriously and encourages you to take actions recommended below as soon as possible. Plesk team understands that it may not be plausible at this time to perform a full upgrade to the latest release of Plesk which is not affected, thus there was a set of Micro-Updates released for each major version affected which will resolve the security issue without the necessity of a system upgrade.
Server Vulnerability Check
In order to check whether your server is subjected to the security vulnerability announced previously please refer to the article that describes the script created by Plesk Developers to automate the verification procedure:
- 113424 How to make sure if your Plesk 8.x, 9.x, 10.0, 10.1, 10.2 or 10.3 is not vulnerable
Server Vulnerability Fix
If your server is vulnerable, make sure that one of the following Micro-Updates applied immediately:
|** Plesk Version**||** Windows**||** Linux**|
|Custom Fix||Micro-Update||Custom Fix||Micro-Update|
|Plesk 8.6.0||[KB112303]||-||-||[8.6.0 MU#2]|
|Plesk 9.5||[KB112303]||[9.5.5 MU#1]||-||[9.5.4 MU#11]|
|Plesk 10.0.x||[KB112303]||[10.0.1 MU#13]||[KB113313]||[10.0.1 MU#13]|
|Plesk 10.1||[KB112303]||[10.1.1 MU#22]||[KB113313]||[10.1.1 MU#22]|
|Plesk 10.2||[KB112303]||[10.2.0 MU#16]||[KB113313]||[10.2.0 MU#16]|
|Plesk 10.3.1||-||[10.3.1 MU#5]||-||[10.3.1 MU#5]|
The complete guide for applying Microupdates you can find on the following link:
- 9294 Using Microupdates in Plesk 8.6, 9.5.x, 10.x and Small Business Panel
Plesk for Virtuozzo Specific
If your Plesk installation runs inside Virtuozzo containers virtual environment, Micro-Updates or updated Virtuozzo containers templates should be installed using the following guide:
- 113441 How to install the latest Microupdates for Plesk to a Virtuozzo Linux container
- 113407 New Virtuozzo containers templates for Plesk 8.6.0, 9.5, 10.0, 10.1, 10.2 Windows and regular distribution kit for Plesk 8.6.0 and 9.5.5 Windows versions with included security fixes
- 7110 Microupdates are not applied automatically if Panel for Linux is installed inside Containers by means of Virtuozzo template
In order to be on a safe side we recommend that you secure your server and your customers' subscriptions by resetting passwords for all Plesk accounts using the script from Plesk Developers:
- 113391 Plesk Mass Password Reset Script
AFTER MASS PASSWORDS CHANGING YOU MUST REMOVE ALL RECORDS FROM 'sessions' TABLE OF psa DATABASE WITH NEW VERSION OF MASS PASSWORD RESET SCRIPT:
# php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` --clean-up-sessions
If you have a Plesk 8.x or Plesk 9.x server we recommend to migrate it to Plesk 11 or later versions.* Plesk 11 does not have this security vulnerability.*
NOTE that a migration should be performed, not an upgrade, because the migration process can be easily rolled back.
Moreover, during migration the source Plesk server continues working along with sites registered in it, while an upgrade could cause downtime of services.
If a corresponding Micro-Update or Custom Fix was installed on your server it will fix the security issue on your server.
We hope that this information will help you to secure data on your server from the malicious attacks.