0-day exploit for Plesk site management tool in circulation
A member of a hacker forum is currently selling a 0-day attack on Parallels Plesk, a web frontend for managing internet sites. The exploit is believed to allow attackers to take full control of sites that are managed via Plesk. Apparently, it even comes with a tool that offers a graphical user interface and enables attackers to extract the administrator's password, read files and execute code.
The exploit is currently being sold for $8,000. According to a report by security researcher Brian Krebs, it has already been used to attack and compromise thousands of web sites. It is believed to be applicable to all versions of Plesk up to and including revision 10.4.4, but the current version, Plesk Panel 11.0, does not appear to be vulnerable. Since upgrading to this version from Plesk Panel 10.3.1 has caused problems for some users in the past, many administrators still run older revisions.
Parallels has published a security advisory, stating that the company is looking into the matter but cannot confirm the vulnerability at this time. According to the company, the security hole had already been closed in older versions of the software but there is still a danger of it being exploited if users did not change their passwords since upgrading. Parallels is advising users to keep their installations updated and upgrade to Plesk 11, if possible. Additionally, administrators should check their system for suspicious scripts and end any currently running Plesk sessions.
Parallels Plesk provides graphical management tools for all web server functionality, including email accounts and applications. The software is available for a number of Linux distributions (CentOS, CloudLinux, Debian, Red Hat Enterprise Linux, SUSE and Ubuntu) as well as Windows. The exploit that is being sold on the hacker forum exclusively targets the Windows product. Whether other systems are vulnerable in a similar way is currently unknown.