- Plesk for Windows
Vulnerability CVE-2020-13166 was discovered in myLittleAdmin: https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
If myLittleAdmin is installed, an unauthenticated remote attacker can run arbitrary code on behalf of IUSRPLESK_sqladmin.
Call to Action
Since the vulnerability was discovered in the latest myLittleAdmin version available (see http://mylittleadmin.com/en/history.aspx), consider applying one of the following workarounds:
Click on a section to expand
Connect to the server via RDP
Delete the following lines from
Note: the warning message in Plesk GUI will stay as-is even when the code is removed. It can be safely ignored.
Remove myLittleAdmin from Plesk:
- Log in to Plesk
- Go to Tools & Settings > Updates > Add/Remove components and uncheck myLittleAdmin:
- Click Continue
As an alternative, to manage MS SQL databases it is recommended to use Microsoft SQL Management studio.
The warning message about Vulnerability will be removed after next daily task execution
I guess I'm the first victim of this exploit... One of my servers was hacked a few hours ago. Attacker uploaded a file named psf.exe in c:\tmp. File owner is IUSRPLESK_sqladmin. Created an account administrators, disabled firewall and ...
I was lucky that I was monitoring the server and I didn't lose any data. This is serious.
Hello Iman GM
Glad to hear that you've avoided the bigger impact.
Thank you for sharing your user experience.
you can also use Command Line to fastly uninstall mylittleadmin component:
C:\ParallelsInstaller\parallels_installer_Microsoft_6.3_x86_64_3.22.14.exe --remove-component mylittleadmin
Remember to modify the installer name related to the installer version/path
I have tested on one of my servers - Generating a new Machine Key in IIS appears to resolve this exploit - steps to reproduce:
Install Server 2016 Standard (Desktop experience) for the OS on blank VM
Add IIS feature, including .net support
Copy existing MLT/MLA/MLB installation, place in the C:\inetpub\wwwroot
Confirm access to the MLA instance from location where the Python exploit will be run from
Run the Python Exploit (courtesy of https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/), verify that the Windows Calculator is running
Go into IIS > Machine Keys > Generate new Key > Apply
Re-run the Python Exploit – verify that the Windows Calculator is not running.
Login to MLA and test that the functionality is all working, rather than removing MyLittleAdmin, if Plesk could release an update that forces IIS to generate a new Machine Key, this should be a simple fix
I am unable to do any changes. I have followed your instructions and when I click on Updates and Upgrades, it takes me to a new tab where I can see the Plesk updater, but the ADD/REMOVE options are greyed out. Any help here? Thanks
Tim Aplin thank you for sharing your tests results. Basically it is enough just to remove machineKey like article suggests without generating it again. We plan to deliver automatic fix in upcoming update for MyLitteltAdmin in Plesk.
Bax try run update with command line:
plesk intsaller --console
Or just remove machine keys, it is also "close" the vulnerability.
Thanx for the heads up. We removed the machine key from our windows plesk servers' MyLittleAdmin. Using the MS Management Studio instead is not an option, as we don't provide direct access to our DB servers from the internet.
Is it still?
Does plesk/mylittleAdmin work on a solution or another tool?
ITCS OTE SA
Thank you for sharing.
The workaround will be implemented for Plesk installations automatically for the following Plesk versions:
Since 18.0.28 (already available)
Plesk Onyx, the workaround will be available in nearest micto updates for 17.5 and 17.8:
17.0: will be available later
Please sign in to leave a comment.