Hash: SHA1

                         AUSCERT Security Bulletin

     Two vulnerabilities have been identified in Parallels Plesk Panel
                               16 April 2013


        AusCERT Security Bulletin Summary

Product:              Parallels Plesk Panel
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Root Compromise -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-0133 CVE-2013-0132 
Member content until: Thursday, May 16 2013


        Two vulnerabilities have been identified in Parallels Plesk Panel 
        versions 11.x, 10.x for Linux and 9.x for UNIX/Linux. [1]


        The vendor has provided the following details regarding these 
        "Parallels Plesk Panel privilege escalation vulnerabilities have 
        been discovered and are described in VU#310500 and CVE-2013-0132, 
        CVE-2013-0133 (CVSS score 4.4 - 
        http://www.kb.cert.org/vuls/id/310500 )
        The following versions of Parallels Plesk Panel for Linux are 
        confirmed to be vulnerable: 9.5, 10.x, 11.x. While there is no known
        exploit for the above vulnerabilities, Parallels strongly recommends
        to take action and apply security updates (or workaround) described
        in this article." [1]
        US-CERT has also provided the following details regarding these 
        "Plesk Panel contains multiple privilege escalation vulnerabilities
        which may allow an attacker to run arbitrary code as the root user.
        Special-case rules in Plesk's custom version of Apache suexec allow
        execution of arbitrary code as an arbitrary user id above a certain
        minimum value. In addition, several administrative or system 
        accounts have a user ID above this minimum.
        * Plesk's /usr/sbin/suexec binary (the binary may be present in 
        additional locations, always with suexec in the filename) always 
        allows the binary 'cgi-wrapper', bypassing restrictions on the 
        ownership of the file to be called. Since cgi-wrapper's function is
        to execute a PHP script based on environment variables (and suexec 
        does not sanitize these environment variables) this allows execution
        of arbitrary PHP code with a user id above a minimum user ID value 
        that is hardcoded in the suid binary. CVE-2013-0132
        * The program /usr/local/psa/admin/sbin/wrapper allows the user 
        psaadm to execute various administrative scripts with root 
        privileges. Some of these scripts call external programs without 
        specifying the full path. By specifying a malicious PATH environment
        variable, an attacker can cause the administrative scripts to call 
        his own program instead of the intended system program. 
        CVE-2013-0133" [2]


        The vendor has stated that they are actively working on security 
        updates to correct these issues and have provided the following 
        "* Plesk 11: fixed in MU#46 (shows up as Security fix – red – in all
        Plesk 11s) - see KB115944 for more information
        * Plesk 10.4.4: fixed in MU#49 (shows up as an Update – MU – in 
        Panel) - see KB115945 for more details
        * Plesk 9.5.4: fixed in MU#28 - see KB115946 for more details
        * Plesk 10.0.1: fixed in MU#18 - see KB115956 for more details
        * Plesk 10.1.1: fixed in MU#24 - see KB115957 for more details
        * Plesk 10.2.0: fixed in MU#19 - see KB115958 for more details
        * Plesk 10.3.1: fixed in MU#20 - see KB115959 for more details" [1]
        Additionally the vendor has provided the following workaround:
        "Disable mod_php, mod_python and mod_perl and use Fast CGI and/or CGI, 
        which are not affected by this security vulnerability.
        Below is the example on how to switch mod_php to fast_cgi for all 
        existent domains:
        # mysql -uadmin --skip-column-names -p`cat /etc/psa/.psa.shadow` psa -e "select name from domains where htype = 'vrt_hst';" | awk -F \| '{print $1}' | while read a; do /usr/local/psa/bin/domain -u $a -php_handler_type fastcgi; done
        After the fix for the issue is published Parallels still recommends 
        to avoid using these apache modules (mod_php, mod_python and 
        mod_perl) and instead use Fast CGI or CGI modes for improved 
        security on Apache." [1]


        [1] Public issues VU#310500 and CVE-2013-0132, CVE-2013-0133

        [2] Vulnerability Note VU#310500

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967