Parallels says customers should upgrade their Plesk, but experts worry many won’t
An unpatched vulnerability in Parallels’ Plesk control panel could let hackers take complete control of a vulnerable web server running the software – and there could be thousands of servers at risk.
It is believed cyber criminals are exploiting the flaw “in the wild”. The flaw was uncovered by a user called ‘kingcope’ on the full-disclosure mailing list at Seclists.org, showing how a PHP misconfiguration in Plesk could be exploited. Versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk are affected, but does not work on the latest Plesk software.
“This vulnerability is easily exploitable with the exploit code available and successful exploitation can result to complete compromise of the system with web service privileges,” Trend Micro warned in a blog post.
“Not everyone updates their servers regularly or with the latest version for varied reason. Thus, we might see Plesk-supported sites being affected by this exploit in the near future.”
Over on the full disclosure list, one user, jtag, said he had “uncovered what appeared to be a sizeable botnet leveraging this vulnerability to infect webservers with a malicious IRC bot written in Perl”.
“A large list of hosts believed to be infected was generated from the data gathered, and probed in an automated fashion for vulnerable Plesk installations,” they claimed.
“Over 900 hosts attempting to connect were running vulnerable Plesk installations, confirming our suspicion that the Plesk exploit was how this malware was spreading.”
Parallels has responded, saying it has a workaround for those affected and who can’t upgrade to the latest release for whatever reason.
“This vulnerability is a variation of the long known CVE-2012-1823 vulnerability related to the CGI mode of PHP only in older Plesks. All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable.
“If a customer is using legacy, and a no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version. For the legacy versions of Parallels Plesk Panel, we provided a suggested and unsupported workaround described in http://kb.parallels.com/en/113818,” the company said in a statement sent to TechWeekEurope.
What do you know about Internet security? Find out with our quiz!