Critical Security Vulnerability -> how about Expand compatibility?!

Discussion in 'Plesk Expand 2.3 General Discussion' started by CryoGenID, Feb 9, 2012.

  1. CryoGenID

    CryoGenID New Member

    Messages:
    148
    Hello everybody!

    You all have received the mail today regarding the "Critical Security Vulnerability" in all Plesk-Products.

    So our question now is:
    - Can we upgrade/patch our linux und windows versions (8.6) of Plesk and will they still work with Expand OK?
    - Can we upgrade/patch our windows 9.5 c-mail plesk (incl. special hotfix for expand compatibility) with the patch and will
    it still work OK with Expand? Or do we need a new "special hotfix" so that it still works with Expand?

    Thanks a for a quick answer from the Expand Devs!

    Best regards,

    Christian
  2. CryoGenID

    CryoGenID New Member

    Messages:
    148
    Dear Parallels-Staff,

    any updates on this here?
    This seems to be a MAJOR SECURITY ISSUE, so please be so kind as to answer here ASAP...
    We think all of your customers are interested how they can proceed in this matter...

    Thanks a lot and best regards,

    Christian
  3. CryoGenID

    CryoGenID New Member

    Messages:
    148
    Still now answer?

    Unbelievable...

    Best regards,

    Christian
  4. CryoGenID

    CryoGenID New Member

    Messages:
    148
    As Parallels doesn't seem to take this issue seriously (we think that this is a terrible bug with
    a HUGE impact):
    We have now patched all 8.6-Servers without any problems and the patch for 9.5.4 (with special hotfix for Expand) can also be applied as it regards other files than the special expand-hotfix.

    The only question which is still unanswered is, if Expand itself is also "open to the public" as all Plesk Control Panels seem to be.

    We wish you all good luck with patching your systems!

    Best regards,

    Chris
  5. Ronan@

    Ronan@ New Member

    Messages:
    17
    I am also interested in hearing the answer to this question. We have patched all our Plesk 9.5.4 servers with the latest micro-updates and everything seems to be working fine. However I am seriously worried about the security of our expand instance.

    We had an unknown compromise on our expand node last week and I was unable to find the source. A rootkit was installed in the expand VPS and it was being used for DOS attacks. I have since migrated expand to a newer VPS and it seems fine now but I am curious how the original hack was executed. It was a VPS dedicated to expand so there wasn't many ways for the VPS to be compromised.

    Can someone from Parallels confirm if expand is vulnerable to the recent exploits in Plesk?
  6. CryoGenID

    CryoGenID New Member

    Messages:
    148
    We have managed to establish a contact to the devs of Expand.

    Expand itself is not vulnerable to the _current_ SQL-Injection-Bug, but that doesn't mean that there might be another bug somewhere in Expand ;-)

    But the current exploit doesn't work on Expand, so at least here we can be relieved...

    Best regards,

    Chris
  7. CryoGenID

    CryoGenID New Member

    Messages:
    148
    So as a new security vulnerability has been found (again!), we had to upgrade our c-mail server
    to Plesk 9.5.5.

    We have upgraded to 9.5.5, then applied the Expand-Patch for 9.5.5, then the MicroUpdates and then again the Expand-Patch (just to be sure).
    We already wondered, why we didn't get the license agreement when we logged in as "admin" (we did get that before on 9.5.4 after installing the patch) but didn't pay that much mind.

    But now we cannot create new eMail-Addresses!
    THIS IS ABSOLUTELY VITAL FOR US THAT THE CMAIL-SERVER WORKS!

    The Mailsystem (IceWarp) worked perfectly before with Plesk 9.5.4 and the Expand-Patch...

    This is the error we get:
    "Error: Unable to update the mail account properties:mailmng failed: Empty error message from utility."

    The eMail-Address is created inside IceWarp but not shown inside Plesk (most likely because of the error).

    Windows Event Log:
    As we had to choose between an open hole in Plesk and risiking to break something,
    we went for the "secure Plesk first"-way as the worldwide impact of the "old" vulnerability
    didn't leave us much choice but to patch RIGHT AWAY.

    So please Parallels, do not us down here now, we really need to get this back working!

    Thanks a lot and best regards

    Christian

Share This Page