Applicable to:
- Plesk for Windows
Situation
Microsoft Windows Server in its default configuration has a critical vulnerability, that can cause an escalation of privileges if a server is compromised. In a context of multi-tenant Plesk use (shared hosting) this allows a Plesk client to upload special scripts in their subscription to obtain Administrator privileges for the server.
Is this vulnerability in Plesk?
No, this is a vulnerability in the Microsoft Windows Server. Plesk itself configures IIS accounts the same way as IIS itself on a clean server without Plesk installed at all.
However, to track all details about the vulnerability it is addressed by Plesk Development Team as an internal entity with ID PFSI-61569.
Is my server affected?
The following versions of Windows are affected:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Windows Server 2019 is not affected by this vulnerability.
Will the vulnerability be fixed by Microsoft?
Microsoft does not offer hardening recommendations for versions of Windows Server prior to 2019 due to architectural implementation in operating systems. The official recommendation is “Using Windows Server 2019 would mitigate this attack vector”.
What can I do?
Plesk recommends updating the installation to Plesk Obsidian 18.0.32 or newer. The security was improved in this version. The improvements include measures against this vulnerability.
If it can not be done for any reasons:
-
As a workaround, disable DCOM support on the server according to the Microsoft article for affected versions of Windows Server.
Note: The server restart is required for changes to take effect. These changes will mitigate the vulnerability, and existing exploits will not work anymore.
-
Migrate to Plesk on Windows Server 2019, since this OS version is not affected by the vulnerability.
Note: The notification in Plesk is not hidden automatically after applying the solution. To hide it, click I got it and understand the risk.
Are there any risks of applying the proposed solution?
DCOM is not used by Plesk, and main Plesk usage scenarios have been tested with it disabled.
However, it may be used by hosted websites, and this action may somehow affect their functionality. Disabling DCOM may also affect environments located in the Windows Domain.
If any issues in the infrastructure not related to Plesk occur after applying the workaround, contact Microsoft directly.
Comments
23 comments
Can you please reference the original advisory from Microsoft?
Hello @burnleyvic,
The official article from Microsoft is absent.
Here's one of 3rd-party blogs about the issue:
https://decoder.cloud/2018/10/01/fear-the-rotten-juicy-potato-attack/
For additional information, contact Microsoft Support directly: https://support.microsoft.com/
Hello
We can not disable DCOM because a lot of asp.net or asp will not work anymore. are there any other solution for that? could we change the security settings fro DCOM to prevent server from beeing vulnerable for that?
best regards chris
Hello Simple Hosting GmbH,
The only 100% valid solution is migration to Windows Server 2019 because previous versions are affected.
> could we change the security settings fro DCOM to prevent server from beeing vulnerable for that?
As far as I know, there's no such workaround. To clarify this, I suggest contacting Microsoft Technical Support.
Hello, I'm the co-author of "JuicyPotato". As we wrote in our post "It's nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via
DCOMCNFGbut good luck, this is gonna be challenging." There are a plenty of out of process DCOM servers (https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md). So the only "workaround" is to protect sensitive accounts and applications if you don't upgrade to Windows 2019 server. From MS point of view, if you have impersonation privileges, the behavior is by design...Hello @ap, we would really appreciate if you can get in touch with our security team so we can discuss this topic in more details: security@<our_site_name> :)
I recommend you email all your customers ASAP informing them to do full server backups as it seems to be a huge attack recently.
Our first Windows 2012 R2 server was affected yesterday but luckily we do regular server level backups every few days and could restore what was affected by using it.
However we noticed an attempt on another server this morning.
Hence we will be informing customers are are moving them urgently to new Windows Server 2019 Servers.
We hence recommend all web hosts offering any shared windows hosting no matter what web panel you use to do urgently aswell.
Its a huge vulenriblity Microsoft will not fix and quite sad time for windows hosts.
Note if you have a extra backup drive attached as local storage to plesk servers they hack and encrypt the backups aswell. Just a note.
Hence make backups backups backups of full servers using Acronis, R1soft or HyperV etc.
Hello SysAdminCPT
Thank you for the message.
Plesk clients are being notified about this issue.
Is there a correct way to do an in-place upgrade from Windows Server 2012R2 to Windows 2019 in order to keep Plesk running correctly during the process?
What if you're not using shared plesk hosting? Or if you would restrict plesk access to only a certain set of IP addresses? Would that mitigate an attack?
Fabio
Such scenario is not supported by Plesk. Instead of that it is recommend to migrate Plesk to another server with newer Windows version using Migration and Transfer Manager.
Thank you, Julian.
Can we run Obsidian on Windows Server 2019 Essentials? Has this been tested for 100+ subscriptions?
Hello Johnnya
In case your Plesk installation is for internal use, limiting the server access to some list of IPs should do the thing.
As for shared hosting, as long as the domain may be potentially hacked, it may be used to gain privileges.
The ultimate fix is still to migrate to Windows Server 2019
Hello Burnley
The list of supported Windows Server 2019 editions may be found here:
64-bit, Standard, Datacenter, and Essentials editions.
So, Essentials edition limitations should influence Plesk functionality.
I noticed when they hacked our one server they used randomware to encrypt all files. Luckily we did regular backups. However I'd like to know once we completed migrating to new server on windows 2019 is it advisable to enable randsomware protection. I already see it picked up some weird files and a file called potato.exe and quarantined it in windows defender. But anyone use randsomware protection option yet will it cause issues if we protect the mail, website and db folders from access using this feature?
@Aziz, generally it should work but some solutions do false-positive detection for Plesk files. Thus, we do recommend to exclude folder with Plesk installation from being checked.
How can I find out if my server is infected?
Hello Fabian,
In case, there're no suspicious symptoms, you may try to scan the server using antivirus software and contact any available security company to conduct a server audit.
The general recommendation is still to migrate domains to the server with Windows Server 2019.
Lỗi máy chủ
Zend_Db_Ad CHƯƠNG_Exception
SQLSTATE [HY000] [2002] Không có kết nối nào có thể được thực hiện do máy đích đã chủ động từ chối nó.
Hello quachdinhhop
The error by itself is quite generic.
Additional investigation is required.
Consider creating a request to Plesk Technical Support.
Hello All
We did some inline upgrades from plesk windows 2016 servers towards 2019 and it worked like a charm. so if you do not want to setup a completely new windows 2019 webhosting server and have some 2016 server you could do an inline upgrade from the OS with plesk obsidian installed. without breaking the plesk installation.
best regards chris
Simple Hosting GmbH that is good news but keep in mind that such scenario is not supported by Plesk. Instead of that it is recommended to migrate Plesk to another server with a newer Windows version using Migration and Transfer Manager.
One of our servers was badly hacked and we found restoring a backup we got it running again. We monitored it with wireshark and firewall infront of server and found that various different IP ranges that rotate were trying to get access to windows server 2016 ips far more on port 445 and 3389 than 2019.
We found using RDPGuard and having it block hits on RDP for port 3389 or port 445 it seems stop attacks. This is ofcourse temporary fix until we upgrade the left over servers on 2016
Please sign in to leave a comment.