Situation
Within the "COMPROMISING PLESK VIA ITS REST API" article the Rest API vulnerability in Plesk was disclosed. This vulnerability identified is #PFSI-63762.
Using the means of social engineering an attacker is able to trick a user to navigate to a malicious html page which will execute a remote Plesk CLI command by the via the Rest API cli-gate on behalf of the user who is already authenticated in Plesk Rest API interface at https://203.0.113.2:8443/api/v2/cli/commands
Impact
In Plesk versions starting from Plesk 17.8 attacker can execute commands and/or alter settings including the change of the admin's password.
98.4% of the Plesk servers had the extension updated automatically and were not impacted.
Fixes were delivered as follows:
- For Plesk versions 18.0.26 and newer on July 5, 2022
- For Plesk versions 17.8.10 - 18.0.25 in late Sep 26, 2022
Call to Action
The vulnerability was fixed in scope of the Rest API extension update.
Therefore in case the Daily Maintenance scheduled task isn't working on the server, the following steps should be taken to check if the vulnerability persists:
- Connect to the server via SSH / Connect to the server via RDP
- Execute the next command(via cmd.exe in OS Windows):
# plesk db "select name, version from Modules where name = 'rest-api'"
The Rest API version should be:
- For Plesk version 18.0.26 and newer:
1.5.9 or higher - For Plesk versions 17.8.10 - 18.0.25:
1.4.8 or higher
If the version is lower than the aforementioned in the environment in question, it is needed to upgrade the Rest-API extension by executing the next command:
For Plesk version starting from 18.0.26
# plesk bin extension -g rest-api
For Plesk versions 17.8.10 - 18.0.25
# plesk bin extension --upgrade-url https://ext.plesk.com/packages/5d72bca6-ab97-4faf-89a4-5ea9ee5a4d1f-rest-api/download?1.4.8-197
Note: To have the Plesk server protected with the latest security updates it is recommended to keep the server up to date:
https://plesk-new.zendesk.com/hc/en-us/articles/12377055926551