- Plesk 12.5 for Linux
- Plesk 12.0 for Linux
SSLLabs check shows that the server is vulnerable to the DROWN attack, not directly, but through having the same key with SSL v2 vulnerable host.
Both servers share the same RSA key. That could have happened if Plesk server has been fully rolled out and then used as a template to create other servers or if one certificate was issued to secure few different servers.
The server with SSLv2 can be used to attack other servers, that share RSA key with it ( CVE-2016-0800 ), or, if runs a vulnerable version of OpenSSL, can attack all the hostnames, that appear within its certificate ( CVE-2016-0703 ).
There are two different ways to solve this issue:
Disable SSLv2 on the vulnerable server using a script:
- Connect to the server using SSH.
Download the archive with the script that automatically disables SSLv3 and SSLv2 on the server:
# wget https://kb.plesk.com/Attachments/kcs-40007/ssl_v3_disable.zip
# unzip ./ssl_v3_disable.zip
Make the script executable:
# chmod +x ./ssl_v3_disable.sh
Warning: This script is not intended to be used on Plesk Onyx!
Note: It is strongly advised to reissue certificates for all previously affected hosts
Change default IP and default Plesk SSL certificate on the server:
It will be required to issue a new certificate. If it was not self-signed, certificate issuer support must be contacted.
- Go to Tools & Settings > SSL Certificates > Add
- Fill out all required forms and click on Self-Signed to create a certificate.
Select a new certificate and click
Note: Make Default automatically does following steps.
- Go to Tools & Settings > IP Addresses and choose vulnerable IP.
- Change SSL certificate from the previous certificate to the new one.
- It will be required to issue a new certificate. If it was not self-signed, certificate issuer support must be contacted.