CVE-2020-13166: myLittleAdmin vulnerability

• 

  Iman GM May 27, 2020 18:04

  I guess I'm the first victim of this exploit... One of my servers was hacked a few hours ago. Attacker uploaded a file named psf.exe in c:\tmp. File owner is IUSRPLESK_sqladmin. Created an account administrators, disabled firewall and ... 

  I was lucky that I was monitoring the server and I didn't lose any data. This is serious.

  1

  Comment actions Permalink
• 

  Ivan Postnikov May 28, 2020 12:40

  Hello Iman GM

  Glad to hear that you've avoided the bigger impact.

  Thank you for sharing your user experience.

  0

  Comment actions Permalink
• 

  Tech Team June 05, 2020 08:12

  Hello,

  you can also use Command Line to fastly uninstall mylittleadmin component:

  C:\ParallelsInstaller\parallels_installer_Microsoft_6.3_x86_64_3.22.14.exe --remove-component mylittleadmin

  Remember to modify the installer name related to the installer version/path

  Good luck

  0

  Comment actions Permalink
• 

  Tim Aplin June 05, 2020 09:27

  Hi Team,

  I have tested on one of my servers - Generating a new Machine Key in IIS appears to resolve this exploit - steps to reproduce:

  Install Server 2016 Standard (Desktop experience) for the OS on blank VM

  Add IIS feature, including .net support

  Copy existing MLT/MLA/MLB installation, place in the C:\inetpub\wwwroot

  Confirm access to the MLA instance from location where the Python exploit will be run from

  Run the Python Exploit (courtesy of https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/), verify that the Windows Calculator is running

  Go into IIS > Machine Keys > Generate new Key > Apply

  IISreset

  Re-run the Python Exploit – verify that the Windows Calculator is not running.

  Login to MLA and test that the functionality is all working, rather than removing MyLittleAdmin, if Plesk could release an update that forces IIS to generate a new Machine Key, this should be a simple fix

  0

  Comment actions Permalink
• 

  Bax June 05, 2020 11:45

  Hi There

  I am unable to do any changes. I have followed your instructions and when I click on Updates and Upgrades, it takes me to a new tab where I can see the Plesk updater, but the ADD/REMOVE options are greyed out. Any help here? Thanks

  0

  Comment actions Permalink
• 

  Anton Maslov June 09, 2020 17:02

  Tim Aplin thank you for sharing your tests results. Basically it is enough just to remove machineKey like article suggests without generating it again. We plan to deliver automatic fix in upcoming update for MyLitteltAdmin in Plesk.

  0

  Comment actions Permalink
• 

  Anton Maslov June 09, 2020 17:03

  Bax try run update with command line:

  plesk intsaller --console

  Or just remove machine keys, it is also "close" the vulnerability.

  0

  Comment actions Permalink
• 

  ITCS OTE SA July 13, 2020 10:23

  Thanx for the heads up. We removed the machine key from our windows plesk servers' MyLittleAdmin. Using the MS Management Studio instead is not an option, as we don't provide direct access to our DB servers from the internet.

  0

  Comment actions Permalink
• 

  system hadara July 20, 2020 08:35

  Is it still?

  Does plesk/mylittleAdmin work on a solution or another tool? 

  0

  Comment actions Permalink
• 

  Ivan Postnikov July 23, 2020 11:45

  Hello!
  
  ITCS OTE SA

  Thank you for sharing.

  system hadara

  The workaround will be implemented for Plesk installations automatically for the following Plesk versions:

  Plesk Obsidian:

  Since 18.0.28 (already available)

  Plesk Onyx, the workaround will be available in nearest micto updates for 17.5 and 17.8:

  17.8: MU#89
  17.5: MU#95
  17.0: will be available later

  0

  Comment actions Permalink

Please sign in to leave a comment.