The Perils of the Plesk Zero-Day Exploit

Written by: Bernadette Irinco

Parallels Plesk Panel or simply known as "Plesk" is a known hosting control panel created by Parallels. Web hosting companies and service providers use Plesk to enable their customers to host and manage their websites and servers.

In June 2013, we received a report regarding a zero-day exploit that targets Plesk. The exploit code information was disclosed in a mailing list by a security researcher known as “Kingcope”. According to Kingcope, the said vulnerability is due to a PHP misconfiguration in Plesk.

Based on the blog entry by Parallels 9.5.4, 10.x and 11.x, and Parallels Plesk Automation are not vulnerable to this exploit. It is a supposedly old vulnerability covered in CVE-2012-1823, which affects certain older Plesk versions.

Once successfully exploited, cybercriminals are granted full control of websites running in Plesk, and may subsequently compromise these websites to host malware.

What is the Plesk vulnerability all about?

Parallels Plesk Remote PHP Command Execution Vulnerability refers to a vulnerability found in Plesk software. When exploited, remote attackers can execute arbitrary code enabling them to take full control of the system. For instance, an attacker can insert a command line in PHP script. Moreover, it hosts malicious codes thus users visiting a particular website run by Plesk can possibly infect their systems with other malicious files.

What happens when the exploit code is executed?

The exploit code calls the PHP interpreter directly via the following arguments:

  • allow_url_include=on
  • safe_mode=off
  • suhosin.simulation=on

Based on our analysis investigation, the allow_url_include argument permits an attacker to include any PHP script and suhosin.simulation which, in effect, renders the system vulnerable.

What is the impact of this threat to organizations?

Web server vulnerabilities may allow attackers to penetrate an organization’s network. Administrators often delay patch deployment because there are systems and servers that require 100% uptime. Restarting systems due to patch deployment could disrupt business operations. Before deploying patches, administrators would also need to do a quality assurance check for the behavior of these patches in their environment.

Once system administrators delay applying patches, networks are left vulnerable to attacks that take advantage of vulnerabilities in servers and systems.

In this case, the Plesk zero-day exploit targets older versions and as such, companies that do not regularly update their servers running in this software are affected. According to security researcher Sooraj KS, apart from having full control of the system, attackers can steal crucial company information stored in the web server’s root directory and use it for their own nefarious means. Furthermore, websites running in Plesk are at risk of being compromised.

Why should users be concerned with Plesk zero-day exploit?

Cybercriminals are using this vulnerability to host backdoors. Users who visit compromised websites will end up with infected systems or have their data stolen.

What can users and organizations do to protect their systems against attacks leveraging this zero-day vulnerability?

Organizations need to update Plesk to the latest version as prevention for attacks using this zero-day exploit. As previously mentioned, this exploit only targets older versions. Parallels Plesk Panel 9.5, 10.x and 11.x, and Parallels Plesk Automation are not affected by this threat.

It is also best to install security software that can detect malware and block access to malicious websites.

Are Trend Micro customers protected from this threat?

Yes. Trend Micro™ Deep Security provides protection via virtual patching, which works by creating rules blocking communication used by exploits at the network layer. It also gives protection without requiring system downtime thus businesses can still meet their operational needs.

For this particular exploit, users are protected through the following Deep Security rule:

  • 1005529 – Parallels Plesk Remote PHP Command Execution Vulnerability

Administrators are also advised to delete or comment the scriptAlias /phppath/ ”/usr/bin/” line in Apache configuration as well as to enable authentication of the Plesk control panel pages. For legacy systems, follow the steps indicated in the website below for workaround:

  • http://kb.parallels.com/en/113818

EXPERT INSIGHTS:

“Botnets and other automated malware kits are already seen in the wild and compromise a large number of websites running vulnerable Plesk installations. It is important to update your software to latest versions as well as protect web servers from network attacks.” – Sooraj KS, threat researcher