Situation
Microsoft Windows Server in its default configuration has a critical vulnerability, that can cause an escalation of privileges if a server is compromised. In a context of multi-tenant Plesk use (shared hosting) this allows a Plesk client to upload special scripts in their subscription to obtain Administrator privileges for the server.
Is this vulnerability in Plesk?
No, this is a vulnerability in the Microsoft Windows Server. Plesk itself configures IIS accounts the same way as IIS itself on clean server without Plesk installed at all.
Which versions of Microsoft Windows Server are affected?
Windows Server 2019 is not affected by this vulnerability.
Other versions of Windows (Server 2008R2, Server 2012, Server 2012 R2, Server 2016) are affected.
Is this vulnerability going to be fixed for affected versions of Windows Server?
Microsoft does not offer hardening recommendations for versions of Windows Server prior to the 2019 due to architectural implementation in operating systems. The official recommendation is “Using Windows Server 2019 would mitigate this attack vector”.
What are Plesk recommendations regarding this vulnerability?
We are currently looking for a precise solution to the issue. Until then, as a temporary workaround, Plesk can propose disabling DCOM support on the server according to the Microsoft article here for affected versions of Windows Server.
Please, note that server restart is required for changes to take effect. These changes will mitigate the vulnerability and existing exploits will not work anymore.
Are there any risks of applying proposed solution?
DCOM directly is not used by Plesk itself and we have tested main Plesk scenarios with applied changes.
However, it may be used by hosted websites, and this action may somehow affect its functionality. Disabling DCOM may also affect environments located in the Windows Domain.
- If you face any issues with Plesk in this context, contact our support team. Please use a keyword PFSI-61569 to ensure efficient handling of your request.
- If you face any issues in your infrastructure not related to Plesk, please, contact Microsoft directly to solve the issue in your particular environment.
Comments
5 comments
Can you please reference the original advisory from Microsoft?
Hello @burnleyvic,
The official article from Microsoft is absent.
Here's one of 3rd-party blogs about the issue:
https://decoder.cloud/2018/10/01/fear-the-rotten-juicy-potato-attack/
For additional information, contact Microsoft Support directly: https://support.microsoft.com/
Hello
We can not disable DCOM because a lot of asp.net or asp will not work anymore. are there any other solution for that? could we change the security settings fro DCOM to prevent server from beeing vulnerable for that?
best regards chris
Hello Simple Hosting GmbH,
The only 100% valid solution is migration to Windows Server 2019 because previous versions are affected.
> could we change the security settings fro DCOM to prevent server from beeing vulnerable for that?
As far as I know, there's no such workaround. To clarify this, I suggest contacting Microsoft Technical Support.
Hello Ivan
As you probably know we would like to migrate all affected servers but because of the smartermail 100 migration issue here we can't till fix is available :-)
https://support.plesk.com/hc/en-us/articles/360010152599-Mail-migration-fails-to-from-server-using-SmarterMail-100
best regards chris
Please sign in to leave a comment.