Parallels Plesk Panel 12.x & 11.x secret_key potential leakage

Refers to:

  • Plesk 11.0 for Windows
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Windows
  • Plesk 11.5 for Linux
  • Plesk 12.0 for Windows
  • Plesk 12.0 for Linux

Created:

2016-11-16 13:07:40 UTC

Modified:

2016-12-21 20:00:41 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Parallels Plesk Panel 12.x & 11.x secret_key potential leakage

Symptoms

A potential security vulnerability was found that impacts Parallels Plesk Panel for Linux 11, 11.5 and 12 preview.

Cause

A minor vulnerability in Plesk exists that can theoretically provide unauthorized users access to the content of the /etc/psa/private/secret_key file on Linux and the same secret key in the registry on Windows. You can read more about the foundation of this vulnerablilty and the astronomically large computational resources required for anything more than theoretical exploitation here .

Resolution

Parallels confirms this vulnerability exists but exploit would require a nearly unattainable amount of computational resources to determine the necessary 16 byte random security number. Therefore, the threat posed by this vulnerability is extremely low.

Vulnerability has been fixed on April 29, 2014 in the following microupdates:

  • Parallels Plesk Panel 11.5.30 MU#44
  • Parallels Plesk Panel 11.0.9 MU#61

Parallels urges all customers to turn on automatic microupdates.

Have more questions? Submit a request
Please sign in to leave a comment.