Rest API vulnerability against the CSRF attack in Plesk

Situation

Within the  "COMPROMISING PLESK VIA ITS REST API" article the Rest API vulnerability in Plesk was disclosed. This vulnerability identified is #PFSI-63762.

Using the means of social engineering an attacker is able to trick a user to navigate to a malicious html page which will execute a remote Plesk CLI command by the via the Rest API cli-gate on behalf of the user who is already authenticated in Plesk Rest API interface at https://203.0.113.2:8443/api/v2/cli/commands

Impact

In Plesk versions starting from Plesk 17.8 attacker can execute commands and/or alter settings including the change of the admin's password. 

98.4% of the Plesk servers had the extension updated automatically and were not impacted.

Fixes were delivered as follows:

  • For Plesk versions 18.0.26 and newer on July 5, 2022
  • For Plesk versions 17.8.10 - 18.0.25 in late Sep 26, 2022

Call to Action

The vulnerability was fixed in scope of the Rest API extension update.

Therefore in case the Daily Maintenance scheduled task isn't working on the server, the following steps should be taken to check if the vulnerability persists: 

  1. Connect to the server via SSH / Connect to the server via RDP
  2. Execute the next command(via cmd.exe in OS Windows):

    # plesk db "select name, version from Modules where name = 'rest-api'"

The Rest API version should be:

  • For Plesk version 18.0.26 and newer:
    1.5.9 or higher
  • For Plesk versions 17.8.10 - 18.0.25:
    1.4.8 or higher

Did you find this article useful?