-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0056
     Two vulnerabilities have been identified in Parallels Plesk Panel
                               16 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Parallels Plesk Panel
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Root Compromise -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-0133 CVE-2013-0132 
Member content until: Thursday, May 16 2013

OVERVIEW

        Two vulnerabilities have been identified in Parallels Plesk Panel 
        versions 11.x, 10.x for Linux and 9.x for UNIX/Linux. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "Parallels Plesk Panel privilege escalation vulnerabilities have 
        been discovered and are described in VU#310500 and CVE-2013-0132, 
        CVE-2013-0133 (CVSS score 4.4 - 
        http://www.kb.cert.org/vuls/id/310500 )
        
        The following versions of Parallels Plesk Panel for Linux are 
        confirmed to be vulnerable: 9.5, 10.x, 11.x. While there is no known
        exploit for the above vulnerabilities, Parallels strongly recommends
        to take action and apply security updates (or workaround) described
        in this article." [1]
        
        US-CERT has also provided the following details regarding these 
        issues:
        
        "Plesk Panel contains multiple privilege escalation vulnerabilities
        which may allow an attacker to run arbitrary code as the root user.
        
        Special-case rules in Plesk's custom version of Apache suexec allow
        execution of arbitrary code as an arbitrary user id above a certain
        minimum value. In addition, several administrative or system 
        accounts have a user ID above this minimum.
        
        * Plesk's /usr/sbin/suexec binary (the binary may be present in 
        additional locations, always with suexec in the filename) always 
        allows the binary 'cgi-wrapper', bypassing restrictions on the 
        ownership of the file to be called. Since cgi-wrapper's function is
        to execute a PHP script based on environment variables (and suexec 
        does not sanitize these environment variables) this allows execution
        of arbitrary PHP code with a user id above a minimum user ID value 
        that is hardcoded in the suid binary. CVE-2013-0132
        
        * The program /usr/local/psa/admin/sbin/wrapper allows the user 
        psaadm to execute various administrative scripts with root 
        privileges. Some of these scripts call external programs without 
        specifying the full path. By specifying a malicious PATH environment
        variable, an attacker can cause the administrative scripts to call 
        his own program instead of the intended system program. 
        CVE-2013-0133" [2]


MITIGATION

        The vendor has stated that they are actively working on security 
        updates to correct these issues and have provided the following 
        details:
        
        "* Plesk 11: fixed in MU#46 (shows up as Security fix – red – in all
        Plesk 11s) - see KB115944 for more information
        
        * Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in 
        Panel) - see KB115945 for more details
        
        * Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details
        
        * Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details
        
        * Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details
        
        * Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details
        
        * Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details" [1]
        
        Additionally the vendor has provided the following workaround:
        
        "Disable mod_php, mod_python and mod_perl and use Fast CGI and/or CGI, 
        which are not affected by this security vulnerability.
        
        Below is the example on how to switch mod_php to fast_cgi for all 
        existent domains:
        
        # mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done
        
        After the fix for the issue is published Parallels still recommends 
        to avoid using these apache modules (mod_php, mod_python and 
        mod_perl) and instead use Fast CGI or CGI modes for improved 
        security on Apache." [1]


REFERENCES

        [1] Public issues VU#310500 and CVE-2013-0132, CVE-2013-0133
            http://kb.parallels.com/en/115942

        [2] Vulnerability Note VU#310500
            http://www.kb.cert.org/vuls/id/310500

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUWzZL+4yVqjM2NGpAQJwEA/+PRmbh1k5emVPrd0nCouX7QMMW/TnnY0g
K+Ssp32Ilz5iIgWn47ncNS6ptGM7c5/70WhJdAUI54jFHhpNK5xk+S1wokm7Ftxj
MHhKonMS4nD5OdY61uncHWwNyU9nulvrRY2FJLm736KDfs+HJG1jG9tG5aT3fHUk
Nfgvc1zg8Frs4VW3o2Zl7Nhk2FYmRVAtdnWPK6+6JbwGiwUgjnCWNNN9XS7r1EEt
qLNJFDEb52b9jVpDOYuttlHPnq1Xhu41tkwNGdOe+VG8ux/TUB4Ngyu2fwzlPdgm
+3MZaXu97e7h26wlU7jAjd1SQGodd04PG8vN2DAeo8rNC7/oQsuXLNOwyD/VQ0m9
UyAknuxpxdPSTjdSzzCENA5dBLbKbWHxEXzGElrsX4sWKEkvoboavb+Q57HrFCY+
fhe5Xat3VIscTVZt5+bdoLa5+CE9Aj9gTffVZIyUIA1ohkOb6d+YAAvJVFejqu68
/XZZaiWmbyOQNhvyg50GOkotrXOZLGxdVWsQe1UYDbxCgEkjMI0GMFobY+MJ8u5c
BoxOGSF5/Df7csOAtAXPAvRtznPqZdA0weoPIX4xPUlz4Twv/m+ViA6gJ37YJdi9
rjfOZPUc7aeIE0OSWkJIT51cHVyg0K73u8V7WpxnRWipSXavgoOqg7xHdtUknHmn
BqktAuPUsOw=
=luaw
-----END PGP SIGNATURE-----