• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

URGENT: security fix for psa-proftpd?

Its not the psa-proftpd package, its whatever is managing the xinetd config file in Plesk 10. Looks like the package name has changed between 9 and 10.
 
Plesk Microupdate where this problem will be fixed will be released very soon.
 
I find it funny that the bug was raised on October 29th (with Proftpd), and presented here on November 1st, and here is it November 10th and Plesk still doesn't have a patch for an _unauthenticated_ remote exploit. Even more laughable is that a third party vendor (atomic) has had a patch out for this security exploit for over a week. There is an exploit in the wild specifically targeting Plesk installs that has been out for three days.

I found four servers that have already been compromised using this exploit. We have disabled FTP on all Debian Plesk machines to prevent further exploits (our CentOS machines already use the atomic repos and were already protected).

I have to wonder what exactly is the hold up here. If Plesk offered the source packages for Debian I would have already patched this myself a week ago (which they are required to provide under the GPL, but don't seem to offer anywhere - but that is another matter completely).
 
Last edited by a moderator:
Yep, and the one released on full-disclosure specifically references Plesk:

Code:
 ["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["Debian GNU/Linux 5.0, ProFTPD 1.3.3 Server (Plesk binary)",
...
 ["Debian GNU/Linux 4.0, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["SUSE Linux 9.3, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["SUSE Linux 10.0/10.3, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["SUSE Linux 10.2, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["SUSE Linux 11.0, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["SUSE Linux 11.1, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["SUSE Linux SLES 10, ProFTPD 1.3.2e Server (Plesk binary)",
...
 ["CentOS 5, ProFTPD 1.3.2e Server (Plesk binary)",
...
 
The Parallels announcement only mentions Plesk 9 and 10, are 8.x installs not vulnerable due to the older version of proftpd?
 
The problem according to the proftpd bugs database was introduced in version 1.3.2rc3 of ProFTPd. Looking at a Plesk 8.6 server I can see that the server is running ProFTPd verison 1.3.2e which would appear to be affected as well.

I am curious what Parallels will say about support for that version of Plesk.
 
Seems like the only platform not affected would be PSA 8 on CentOS 3 where the newest version was 8.4 and which came with psa-proftpd-1.3.1-cos3.build84080425.19. PSA 8 on CentOS 4 and CentOS 5 all use vulnerable versions.
 
UPDATE Solution

In my last post, I asked about the consequences of symlinking.

Still wanting some feedback, but some remarks, when using the "symlink solution with newly compiled proftpd":

A - ftpxxx tools
- /usr/bin directory has some ftpdxxxx files (ftpwho, ftpcount etc) in it,
- these files are "old" and will not work with the newer version of proftpd
- if desired (not necessary), symlink those files to the new files (in the compilation directory)

B - Modules
Standard compilation of the newer version of proftpd (just issuing ./configure without custom config file) does exclude some modules that are present in the psa-proftpd compilation.

As far as I can see, no harm in missing them, but the missing modules are:
- mod_tls
- mod_quota (in the newer version, presumably mod_quotatab)
- mod_readme
- mod_ratio

They can be found in the contrib folder of the proftpd source directory, just compile them in your own version of proftpd.

C - UNRESOLVED vulnerability: mod_site
Somehow, I do understand that the newer 1.3.3c version resolves the security issues, except for the mod_site vulnerability. Less severe, but still annoying.

Parallels, resolve that in a hotfix.

D - Post scriptum
If any reasonable compilation of proftpd results, I will give it to anybody who asks/mails.

Naturally, Parallels should be providing the hotfix and, in the meantime, hope I can help.
 
Am I Affected

Hey Guys

Are my servers afected?

[admin@au1-h1-b4-p1 ~]# proftpd -v
- ProFTPD Version 1.3.1
[admin@au1-h1-b4-p1 ~]# uname -a
Linux au1-h1-b4-p1 2.6.18-028stab060.8 #1 SMP Mon Feb 9 20:25:36 MSK 2009 x86_64 x86_64 x86_64 GNU/Linux
[root@au1-h1-b4-p1 ~]#

How can u upgrade with without yum?

I cant install atomic without yum..

Can someone give me step by step as i don't wanna break it

Cheers
Ryan
 
There is acritical bug and we have to wait 10 days for Parallels to release a hotfix, when official proftpd is already patched.

BTW, updating with atomic leads to another problem:
Code:
Determining the packages that need to be installed.
ERROR: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system.
Not all packages were installed.

This is a terrible service from Parallels, is this what we have to expect from them? 10 days to fix a bug? Is that the price of the license?
 
What should we do if we applied atomic update? (as suggested at http://www.parallels.com/products/plesk/ProFTPD)

Code:
A Proftpd update for Plesk has been provided by Atomic Rocket Turtle. To apply the update, execute the commands below.

# wget -O - http://www.atomicorp.com/installers/atomic |sh
# yum upgrade psa-proftpd

This installs right, but leads to autoinstaller error:
Code:
ERROR: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system.

Should I uninstall proftpd from all servers?
 
Back
Top