SituationWithin the "COMPROMISING PLESK VIA ITS REST API" article the Rest API vulnerability in Plesk was disclosed. This vulnerability identified is #PFSI-63762.
Using the means of social engineering an attacker is able to trick a user to navigate to a malicious html page which will execute a remote Plesk CLI command by the via the Rest API cli-gate on behalf of the user who is already authenticated in Plesk Rest API interface at https://203.0.113.2:8443/api/v2/cli/commands
ImpactIn Plesk versions starting from Plesk 17.8 attacker can execute commands and/or alter settings including the change of the admin's password.
98.4% of the Plesk servers had the extension updated automatically and were not impacted.
Fixes were delivered as follows:
- For Plesk versions 18.0.26 and newer on July 5, 2022
- For Plesk versions 17.8.10 - 18.0.25 in late Sep 26, 2022
Call to ActionThe vulnerability was fixed in scope of the Rest API extension update.
Therefore in case the Daily Maintenance scheduled task isn't working on the server, the following steps should be taken to check if the vulnerability persists:
- Connect to the server via SSH / Connect to the server via RDP
- Execute the next command(via cmd.exe in OS Windows):
Quote# Execute the next command(via cmd.exe in OS Windows):
The Rest API version should be:
For Plesk version 18.0.26 and newer:
1.5.9 or higher
For Plesk versions 17.8.10 - 18.0.25:
1.4.8 or higher
If the version is lower than the aforementioned in the environment in question, it is needed to upgrade the Rest-API extension by executing the next command: