Microsoft Windows Server 2008R2, Server 2012, Server 2012R2 and Server 2016 are vulnerable to Juicy Potato exploit

Follow

Comments

20 comments

  • Avatar
    burnleyvic

    Can you please reference the original advisory from Microsoft?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @burnleyvic,

    The official article from Microsoft is absent. 

    Here's one of 3rd-party blogs about the issue:

    https://decoder.cloud/2018/10/01/fear-the-rotten-juicy-potato-attack/

    For additional information, contact Microsoft Support directly: https://support.microsoft.com/

    0
    Comment actions Permalink
  • Avatar
    Simple Hosting GmbH

    Hello

    We can not disable DCOM because a lot of asp.net or asp will not work anymore. are there any other solution for that? could we change the security settings fro DCOM to prevent server from beeing vulnerable for that?

    best regards chris

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Simple Hosting GmbH,

    The only 100% valid solution is migration to Windows Server 2019 because previous versions are affected.

    > could we change the security settings fro DCOM to prevent server from beeing vulnerable for that?

    As far as I know, there's no such workaround. To clarify this, I suggest contacting Microsoft Technical Support.

    0
    Comment actions Permalink
  • Avatar
    ap

    Hello, I'm the co-author of "JuicyPotato".  As we wrote in our post "It's nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging." There are a plenty of out of process DCOM servers (https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md). So the only "workaround" is to protect sensitive accounts and applications if you don't upgrade to Windows 2019 server. From MS point of view,  if you have impersonation privileges, the behavior is by design...

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov (Edited )

    Hello @ap, we would really appreciate if you can get in touch with our security team so we can discuss this topic in more details: security@<our_site_name>  :)

    0
    Comment actions Permalink
  • Avatar
    SysAdminCPT (Edited )

    I recommend you email all your customers ASAP informing them to do full server backups as it seems to be a huge attack recently.

    Our first Windows 2012 R2 server was affected yesterday but luckily we do regular server level backups every few days and could restore what was affected by using it. 

    However we noticed an attempt on another server this morning.

    Hence we will be informing customers are are moving them urgently to new Windows Server 2019 Servers.

    We hence recommend all web hosts offering any shared windows hosting no matter what web panel you use to do urgently aswell.

    Its a huge vulenriblity Microsoft will not fix and quite sad time for windows hosts.

    Note if you have a extra backup drive attached as local storage to plesk servers they hack and encrypt the backups aswell. Just a note.

    Hence make backups backups backups of full servers using Acronis, R1soft or HyperV etc.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov (Edited )

    Hello SysAdminCPT

    Thank you for the message.

    Plesk clients are being notified about this issue.

    0
    Comment actions Permalink
  • Avatar
    Fabio

    Is there a correct way to do an in-place upgrade from Windows Server 2012R2 to Windows 2019 in order to keep Plesk running correctly during the process?

    0
    Comment actions Permalink
  • Avatar
    Johnnya

    What if you're not using shared plesk hosting? Or if you would restrict plesk access to only a certain set of IP addresses? Would that mitigate an attack?

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Fabio

    Such scenario is not supported by Plesk. Instead of that it is recommend to migrate Plesk to another server with newer Windows version using Migration and Transfer Manager.

    0
    Comment actions Permalink
  • Avatar
    Fabio

    Thank you, Julian.

    0
    Comment actions Permalink
  • Avatar
    burnleyvic

    Can we run Obsidian on Windows Server 2019 Essentials? Has this been tested for 100+ subscriptions?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Johnnya

    In case your Plesk installation is for internal use, limiting the server access to some list of IPs should do the thing.

    As for shared hosting, as long as the domain may be potentially hacked, it may be used to gain privileges.

    The ultimate fix is still to migrate to Windows Server 2019

    Hello burnleyvic

    The list of supported Windows Server 2019 editions may be found here:

    64-bit, Standard, Datacenter, and Essentials editions.

    So, Essentials edition limitations should influence Plesk functionality.

     

     

    0
    Comment actions Permalink
  • Avatar
    Aziz

    I noticed when they hacked our one server they used randomware to encrypt all files. Luckily we did regular backups. However I'd like to know once we completed migrating to new server on windows 2019 is it advisable to enable randsomware protection. I already see it picked up some weird files and a file called potato.exe and quarantined it in windows defender. But anyone use randsomware protection option yet will it cause issues if we protect the mail, website and db folders from access using this feature?

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @Aziz, generally it should work but some solutions do false-positive detection for Plesk files. Thus, we do recommend to exclude folder with Plesk installation from being checked.

    1
    Comment actions Permalink
  • Avatar
    Fabian

    How can I find out if my server is infected?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Fabian,

    In case, there're no suspicious symptoms, you may try to scan the server using antivirus software and contact any available security company to conduct a server audit.

    The general recommendation is still to migrate domains to the server with Windows Server 2019.

    0
    Comment actions Permalink
  • Avatar
    quachdinhhop

    Lỗi máy chủ

    500

    Zend_Db_Ad CHƯƠNG_Exception

    SQLSTATE [HY000] [2002] Không có kết nối nào có thể được thực hiện do máy đích đã chủ động từ chối nó.


    Kiểu Zend_Db_Ad CHƯƠNG_Exception
    Thông điệp SQLSTATE [HY000] [2002] Không có kết nối nào có thể được thực hiện do máy đích đã chủ động từ chối nó.
    Tập tin Tóm tắt.php
    Hàng 144
    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello quachdinhhop

    The error by itself is quite generic.

    Additional investigation is required. 

    Consider creating a request to Plesk Technical Support.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request