Attacks Target Plesk Flaw Impacting Some Apache Servers


Security firms are tracking ongoing attacks targeting a vulnerability in a hosting control panel behind thousands of websites that could be used by cybercriminals to gain access to sensitive files or compromise site visitors.

The vulnerability can be found in versions 9.0 to 9.23 of the Parallels Plesk Panel, according to Craig Bartholomew, Parallels' vice president of shared hosting and control panels, who confirmed to CRN that the software maker is aware of the issue. It can be targeted on some Apache Server configurations.

Support for the affected Plesk Panel versions is scheduled to be phased out June 9. Parallels Plesk is currently on version 11.

"Anyone on a version of the software that old are people who aren't paying attention," Bartholomew said. "All of this is resolvable by simply getting off of those old versions, and the vast majority of our customer base have upgraded."

[Related: 5 Significant Java Security Improvements That Foil Attacks]

Plesk is the control panel that is used by website owners to manage domains and website settings. It also can be used to set up and maintain a hosted environment of hundreds of sites. Bartholomew referred users to a Plesk Control Panel security best practices page for tips to mitigate risks.

The command injection vulnerability in Plesk is due to PHP misconfiguration and is similar to a flaw that surfaced in April that impacted a third-party webmail plugin for Plesk. Security firms said that an IRC botnet may be behind many of the early attacks.

In a blog entry about the threat, Craig Williams at Cisco Systems said the networking giant is "seeing multiple exploitation attempts across many customers." Sites impacted by the flaw are not likely being regularly maintained, Williams said.

"Given the nature of this vulnerability and the ease of exploitation, it is very likely that unpatched machines will continue to be compromised if not remediated," Williams wrote.

A message on the Full Disclosure Mailing List described the coding error and included freely available proof-of-concept code that targets the latest flaw. DarkLeech, an automated attack toolkit has been targeting certain Apache web server configurations and turning them into a broader botnet.

The Plesk version is believed to be used by more than 36,000 websites. Trend Micro said the flaw is easily exploitable using the available exploit code giving an attacker "complete compromise of the system with web service privileges."

"This vulnerability means all websites hosted on systems that use Plesk are at risk," wrote Sooraj K S, a development engineer at Trend Micro, in his analysis of the threat. "This spells trouble not only for web administrators, but for common Internet users who transact or simply browse sites supported by Plesk."

PUBLISHED ON JUNE 7, 2013