Resolved Plesk Rouncube and exploit CVE-2023-5631

[M-Ruiter]

CVE-2023-5631 is a exploid for Roundcube thats out in the open.

Is there a migitation manual and when will the update to patch this leak be released ?

NVD - CVE-2023-5631

nvd.nist.gov

Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631) - Help Net Security

The Winter Vivern APT group has been exploiting a zero-day vulnerability (CVE-2023-5631) in Roundcube webmail servers.

www.helpnetsecurity.com

 

[B_P]

Looks like Roundcube is still at version 1.6.0 with latest plesk installations while only version 1.6.4 will fix this.

 

[Kaspar]

Looks like Roundcube is still at version 1.6.0 with latest plesk installations while only version 1.6.4 will fix this.

1.6.3 since Plesk 18.0.56. Hopefully there will an update to 1.6.4 soon to fix the issue.

 

[Peter Debik]

Plesk plans to update Roundcube to version 1.6.4, respectively 1.4.15 where this is not possible due to operating system limitations, in the upcoming release 18.0.57 which is scheduled for the middle of November.

 

[S. Schröder]

Mid-November?

This is a security vulnerability that is already being exploited!

What's wrong with you?

You should fix / roll this out in a few hours!

With little understanding
Stephan Schröder

 

[Mark_NLD]

This thread should be merged with Question - Roundcube 1.6.4 is released. When will plesk upgrade to it?

 

[Flashdown]

Hello together,
I assume when you ensure that you run the latest roundcube 1.6.3 shipped by plesk packages, that you should be able to implement the following changes manually that should be overwritten automatically as soon as plesk ships 1.6.4 (You may better wait for an official confirmation from the Plesk Team that this is save to be done or not):

All changes necessary can be found in the link below, so locate the files, back them up in a folder outside of it's original location and then apply the small changes and you should be good to go.
2 Files should be modified, where maybe the first one is enough, as the test directory sounds to me like it might be just used as auto test during package creation, but as I never packaged roundcube myself, you better change both to be sure:
- program/lib/Roundcube/rcube_washtml.php
- tests/Framework/Washtml.php

Changes needed can be copy and pasted from here:

Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@7b2df52

…ML messages (#9168)

github.com

Best regards
Flashdown - A simple Plesk user running Debian

 

[Peter Debik]

What's wrong with you?

Everything is fine with me, thank you for asking.

 

[Peter Debik]

This thread should be merged with Question - Roundcube 1.6.4 is released. When will plesk upgrade to it?

It is technically not possible to merge threads due to limitations of the forum software.

 

[Peter Debik]

We're currently planning to deliver the fix with a micro update 18.0.56 #2, which will be published sooner than the next regular update.

 

[Peter Debik]

https://support.plesk.com/hc/en-us/articles/18573638599831-CVE-2023-5631-vulnerability-in-Roundcube

 

[Mark_NLD]

Hello together,
I assume when you ensure that you run the latest roundcube 1.6.3 shipped by plesk packages, that you should be able to implement the following changes manually that should be overwritten automatically as soon as plesk ships 1.6.4 (You may better wait for an official confirmation from the Plesk Team that this is save to be done or not):

All changes necessary can be found in the link below, so locate the files, back them up in a folder outside of it's original location and then apply the small changes and you should be good to go.
2 Files should be modified, where maybe the first one is enough, as the test directory sounds to me like it might be just used as auto test during package creation, but as I never packaged roundcube myself, you better change both to be sure:
- program/lib/Roundcube/rcube_washtml.php
- tests/Framework/Washtml.php

Changes needed can be copy and pasted from here:

Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT… · roundcube/roundcubemail@7b2df52

…ML messages (#9168)

github.com

Best regards
Flashdown - A simple Plesk user running Debian

I guess this would be a quick fix on any 18.0.56 Update #1 system:

mv /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php_bck
wget https://raw.githubusercontent.com/roundcube/roundcubemail/master/program/lib/Roundcube/rcube_washtml.php -P /usr/share/psa-roundcube/program/lib/Roundcube/

 

[Flashdown]

I guess this would be a quick fix on any 18.0.56 Update #1 system:

mv /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php_bck
wget https://raw.githubusercontent.com/roundcube/roundcubemail/master/program/lib/Roundcube/rcube_washtml.php -P /usr/share/psa-roundcube/program/lib/Roundcube/

Well this looks dangerous to me.

Why?
-> First of all you are getting the file from the current master branch, usually when a version is released then this branch will be used for the next version, so this is what makes it dangerous in terms of possible incompatibilities.

Next, I didnt check if there where further changes done to this file between version 1.6.3 and 1.6.4 so there could be incompatible changes in it. This is why I suggested to do these changes for fixing the CVE manually once, if you check it yourself and find no other changes beeing done in this file, then you can grab it via the commit I am referring to, otherwise do it manually once and then you have a file to deploy.

Also creating the backup file in the same location is not that good as you will forget about this file and it will remain forever. The Debian Package Management Systems keeps track of the files coming from a Debian package and ensures this doesnt happen. Therefore better put the backup file into /root/

Also you are moving the old original file away, thus losing the current permissions, user and group assigned to it. So better copy the file for backup away and keep the original in it's place, then just override the file with cp and the permissions, user and group will remain.

 

[Peter Debik]

Please wait on the official update. Staff is already preparing it, and it will come very soon, probably within the next few days.

 

[B_P]

Please wait on the official update. Staff is already preparing it, and it will come very soon, probably within the next few days.

... coming back to the discussion of the annual price increase. With the price increases we have seen since Plesk has been bought by WebPros, customers expect an excellent support.
An update "within the next few days" for a vulnerability (where a known fix in terms of an available update for an open source component exists) is clearly NOT what falls under excellent support. Anything > 24 hours is not acceptable here.

 

[Peter Debik]

@B_P Sorry to hear that this is still not fast enough for you. Which other vendors do you know who have fixed this vulnerability in their panels faster? Are you aware that for similar issues, e.g. with smartphone operating systems and apps, with office software, popular email apps etc. such vulnerabilities normally take weeks to be fixed? Is the expectation of an instant fix realistic?

 

[Flashdown]

Well this looks dangerous to me.

Why?
-> First of all you are getting the file from the current master branch, usually when a version is released then this branch will be used for the next version, so this is what makes it dangerous in terms of possible incompatibilities.

Next, I didnt check if there where further changes done to this file between version 1.6.3 and 1.6.4 so there could be incompatible changes in it. This is why I suggested to do these changes for fixing the CVE manually once, if you check it yourself and find no other changes beeing done in this file, then you can grab it via the commit I am referring to, otherwise do it manually once and then you have a file to deploy.

Also creating the backup file in the same location is not that good as you will forget about this file and it will remain forever. The Debian Package Management Systems keeps track of the files coming from a Debian package and ensures this doesnt happen. Therefore better put the backup file into /root/

Also you are moving the old original file away, thus losing the current permissions, user and group assigned to it. So better copy the file for backup away and keep the original in it's place, then just override the file with cp and the permissions, user and group will remain.

I have checked it and there where no further changes between 1.6.3 and 1.6.4 so you can apply the patch on 18.0.56 Update #1 by running this, at your own risk as I did:

cp /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php /root/ cd /root/ && wget https://raw.githubusercontent.com/roundcube/roundcubemail/6ee6e7ae301e165e2b2cb703edf75552e5376613/program/lib/Roundcube/rcube_washtml.php && cp rcube_washtml.php.1 /usr/share/psa-roundcube/program/lib/Roundcube/rcube_washtml.php && echo done

 

[Mark_NLD]

The Roundcube update is available in 18.0.56#2.
Install it via: Tools & Settings -> Updates

Change Log for Plesk Obsidian

Find out about changes, additions and updates to Plesk Obsidian on an iteration to iteration basis.

docs.plesk.com