Situation
Microsoft Windows Server in its default configuration has a critical vulnerability, that can cause an escalation of privileges if a server is compromised. In a context of multi-tenant Plesk use (shared hosting) this allows a Plesk client to upload special scripts in their subscription to obtain Administrator privileges for the server.
Is this vulnerability in Plesk?
No, this is a vulnerability in the Microsoft Windows Server. Plesk itself configures IIS accounts the same way as IIS itself on a clean server without Plesk installed at all.
However, to track all details about the vulnerability it is addressed by Plesk Development Team as an internal entity with ID PFSI-61569.
Is my server affected?
The following versions of Windows are affected:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Windows Server 2019 is not affected by this vulnerability.
Will the vulnerability be fixed by Microsoft?
Microsoft does not offer hardening recommendations for versions of Windows Server prior to 2019 due to architectural implementation in operating systems. The official recommendation is “Using Windows Server 2019 would mitigate this attack vector”.
What can I do?
Plesk recommends updating the installation to Plesk Obsidian 18.0.32 or newer. The security was improved in this version. The improvements include measures against this vulnerability.
If it can not be done for any reasons:
-
As a workaround, disable DCOM support on the server according to the Microsoft article for affected versions of Windows Server.
Note: The server restart is required for changes to take effect. These changes will mitigate the vulnerability, and existing exploits will not work anymore.
-
Migrate to Plesk on Windows Server 2019, since this OS version is not affected by the vulnerability.
Note: The notification in Plesk is not hidden automatically after applying the solution. To hide it, click I got it and understand the risk.
Are there any risks of applying the proposed solution?
DCOM is not used by Plesk, and main Plesk usage scenarios have been tested with it disabled.
However, it may be used by hosted websites, and this action may somehow affect their functionality. Disabling DCOM may also affect environments located in the Windows Domain.
If any issues in the infrastructure not related to Plesk occur after applying the workaround, contact Microsoft directly.