Microsoft Windows Server in its default configuration has a critical vulnerability, that can cause an escalation of privileges if a server is compromised. In a context of multi-tenant Plesk use (shared hosting) this allows a Plesk client to upload special scripts in their subscription to obtain Administrator privileges for the server.
Is this vulnerability in Plesk?
No, this is a vulnerability in the Microsoft Windows Server. Plesk itself configures IIS accounts the same way as IIS itself on clean server without Plesk installed at all.
Which versions of Microsoft Windows Server are affected?
Windows Server 2019 is not affected by this vulnerability.
Other versions of Windows (Server 2008R2, Server 2012, Server 2012 R2, Server 2016) are affected.
Is this vulnerability going to be fixed for affected versions of Windows Server?
Microsoft does not offer hardening recommendations for versions of Windows Server prior to the 2019 due to architectural implementation in operating systems. The official recommendation is “Using Windows Server 2019 would mitigate this attack vector”.
What are Plesk recommendations regarding this vulnerability?
We are currently looking for a precise solution to the issue. Until then, as a temporary workaround, Plesk can propose disabling DCOM support on the server according to the Microsoft article here for affected versions of Windows Server.
Please, note that server restart is required for changes to take effect. These changes will mitigate the vulnerability and existing exploits will not work anymore.
Are there any risks of applying proposed solution?
DCOM directly is not used by Plesk itself and we have tested main Plesk scenarios with applied changes.
However, it may be used by hosted websites, and this action may somehow affect its functionality. Disabling DCOM may also affect environments located in the Windows Domain.
- If you face any issues with Plesk in this context, contact our support team. Please use a keyword PFSI-61569 to ensure efficient handling of your request.
- If you face any issues in your infrastructure not related to Plesk, please, contact Microsoft directly to solve the issue in your particular environment.