Parallels Plesk Flaw Left FTC Websites Open to Security Breaches

5 comments

A flaw found in some versions of hosting control panel Parallels Plesk Panel has played a significant role in the recent attacks on Federal Trade Commission’s websites, according to a report by Ars Technica.

The flaw discovered in Parallels Plesk Panel, which enables hosting providers to remotely perform administration tasks of servers, could affect those hosting companies that have not recently updated the software, along with their customers.

The security incident is certainly a cautionary tale for those hosting companies and end users, reminding how important it is to regularly maintain software updates and implement security patches.

One of the affected organizations was public relations agency Fleishman-Hilliard who was hosting FTC websites on Media Temple’s servers before it was hacked by Anonymous’ Antisec collective last week. Media Temple has since requested the company to move its content to another web host’s servers.

Media Temple uses multiple versions of Plesk depending on the customer including Plesk 8, 9, or 10. According to cited sources familiar with the FTC websites hacks, Plesk was at least partially used by the Anonymous hackers to access the sites. It is still not entirely clear if Media Temple knew how critical the Plesk flaw was at the time the FTC sites were hacked.

Media Temple chief marketing officer Kim Brubeckas said the company was unaware that Fleishman-Hilliard was going to use its servers to host government accounts and, had it known, it would have advised them against it since the company is not a “FISMA-certified hosting service”.

The Plesk flaw allows a third-party individual or group to update user accounts, files, and security of a website, meaning the hackers could still potentially gain access to sites they have compromised even after hosting companies and their customers apply the security fixes.

Security experts are recommending that those customers of hosting companies that uses Plesk should double-check the content on their servers and accounts, and immediately change their passwords.

In an update posted on its website, Parallels says that the flaw applies to Plesk 9.x for Linux/Unix, Plesk 8.x for Linux/Unix, Plesk 9.x for Windows, Plesk 8.x for Windows, Plesk 10.0.x for Windows, Plesk 10.1.x for Windows, Plesk 10.2.x for Windows, Plesk 10.3.x for Windows, Plesk 10.0.x for Linux/Unix, Plesk 10.1.x for Linux/Unix, Plesk 10.2.x for Linux/Unix, and Plesk 10.3.x for Linux/Unix.

However, it confirms that “the issue has been completely fixed in Plesk 8.6 MU#2, 9.5  MU#11, 10.3 MU#5 and later.” The company has posted the fixes on the page.

Add Your Comments

  • (will not be published)

5 Comments

  1. Did somebody on the IT staff lose their job over this gross oversight? I mean, how hard is it to subscribe to software vendor's mailing lists for security updates?

    Reply
  2. There are a lot of hosting providers that have been affected by this. The entire contents of the Plesk database is exposed during the exploiut - usernames, passwords, customer information. Parallels DO NOT encypt the database in any way - all information is compromised. Parallels support are not providing scripts or automated methods of resetting passwords, leaving hosts and customers to sort it out themselves. The patches do not encrypt the password information. Parallels are yet to fix this still huge vulnerability in their software. Storing passwords or customer information in unencrypted format is unforgiveable of any reputable software company. That Parallels knew about this but failed to act in good time is staggering. That they have no been open and proactive in assisting their customers and partners to fix this properly is equally so. We note that we begin seeing injections/attacks on the first day of the Parallels 2012 Summit (coincidence) and that it is known that Parallels fired an entire team not long ago - disgruntled former employees perhaps? Either way the situation is a long way from resolved, and I suspenct that many service providers such as ourselves are in damage limitation mode right now.

    Reply
  3. Liam Eagle

    At first glance it didn't occur to me that the username might appear to be MediaTemple, let alone that it might be on purpose. For the record, I've edited the username to say "anonymous."

    Reply
  4. Anonymous

    What Plesk didn't feel the need to include in that patch download page is that they've known about the problem since last September and decided to keep it quiet while hoping no one noticed. The fix was released on September 2nd, and the only thing remotely close to acknowledging it were the following two lines in the Plesk 9.5 release notes: Parallels Plesk Panel 9.5.4 MU #11 [02-Sep-2011] [-] SQL injection vulnerability fixed. Yes, a remotely exploitable root compromise gets two lines of attention. No email to customers (well until about five days ago once they realized there were widespread exploits occurring), no warning in the panel, no proactive notification of any type, just fix it and hope the damage isn't too great. If you've come to the conclusion that you can't trust them or their products, we're in the same boat.

    Reply
  5. Yeah! Right why is the Fed'l Government allowing Plesk panels as a their Control Panel anyway? Plesk doesn't even take decent care of it's Hosting Provider/ Clients. I'm thinking about leaving Plesk and returning to Cpanel.....

    Reply