Critical Security Vulnerability -> how about Expand compatibility?!

[CryoGenID]

Hello everybody!

You all have received the mail today regarding the "Critical Security Vulnerability" in all Plesk-Products.

So our question now is:
- Can we upgrade/patch our linux und windows versions (8.6) of Plesk and will they still work with Expand OK?
- Can we upgrade/patch our windows 9.5 c-mail plesk (incl. special hotfix for expand compatibility) with the patch and will
it still work OK with Expand? Or do we need a new "special hotfix" so that it still works with Expand?

Thanks a for a quick answer from the Expand Devs!

Best regards,

Christian

[CryoGenID]

Dear Parallels-Staff,

any updates on this here?
This seems to be a MAJOR SECURITY ISSUE, so please be so kind as to answer here ASAP...
We think all of your customers are interested how they can proceed in this matter...

Thanks a lot and best regards,

Christian

[CryoGenID]

Still now answer?

Unbelievable...

Best regards,

Christian

[CryoGenID]

As Parallels doesn't seem to take this issue seriously (we think that this is a terrible bug with
a HUGE impact):
We have now patched all 8.6-Servers without any problems and the patch for 9.5.4 (with special hotfix for Expand) can also be applied as it regards other files than the special expand-hotfix.

The only question which is still unanswered is, if Expand itself is also "open to the public" as all Plesk Control Panels seem to be.

We wish you all good luck with patching your systems!

Best regards,

Chris

[Ronan@]

I am also interested in hearing the answer to this question. We have patched all our Plesk 9.5.4 servers with the latest micro-updates and everything seems to be working fine. However I am seriously worried about the security of our expand instance.

We had an unknown compromise on our expand node last week and I was unable to find the source. A rootkit was installed in the expand VPS and it was being used for DOS attacks. I have since migrated expand to a newer VPS and it seems fine now but I am curious how the original hack was executed. It was a VPS dedicated to expand so there wasn't many ways for the VPS to be compromised.

Can someone from Parallels confirm if expand is vulnerable to the recent exploits in Plesk?

[CryoGenID]

We have managed to establish a contact to the devs of Expand.

Expand itself is not vulnerable to the _current_ SQL-Injection-Bug, but that doesn't mean that there might be another bug somewhere in Expand ;-)

But the current exploit doesn't work on Expand, so at least here we can be relieved...

Best regards,

Chris

[CryoGenID]

So as a new security vulnerability has been found (again!), we had to upgrade our c-mail server
to Plesk 9.5.5.

We have upgraded to 9.5.5, then applied the Expand-Patch for 9.5.5, then the MicroUpdates and then again the Expand-Patch (just to be sure).
We already wondered, why we didn't get the license agreement when we logged in as "admin" (we did get that before on 9.5.4 after installing the patch) but didn't pay that much mind.

But now we cannot create new eMail-Addresses!
THIS IS ABSOLUTELY VITAL FOR US THAT THE CMAIL-SERVER WORKS!

The Mailsystem (IceWarp) worked perfectly before with Plesk 9.5.4 and the Expand-Patch...

This is the error we get:
"Error: Unable to update the mail account properties:mailmng failed: Empty error message from utility."

The eMail-Address is created inside IceWarp but not shown inside Plesk (most likely because of the error).

Windows Event Log:

- ---
Faulting application name: mailmng.exe, version: 9.505.0.0, time stamp: 0x4e114033
Faulting module name: api.dll, version: 0.0.0.0, time stamp: 0x4fb28666
Exception code: 0xc0000005
Fault offset: 0x0000778e
Faulting process id: 0x11b8
Faulting application start time: 0x01cd62ad2254c51d
Faulting application path: C:\Program Files (x86)\Parallels\Plesk\admin\bin\mailmng.exe
Faulting module path: C:\PROGRA~2\IceWarp\api.dll
Report Id: 60512fbe-cea0-11e1-bf9d-005056963efe
- ---
- ---
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: mailmng.exe
P2: 9.505.0.0
P3: 4e114033
P4: api.dll
P5: 0.0.0.0
P6: 4fb28666
P7: c0000005
P8: 0000778e
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\A ppCrash_mailmng.exe_e8f41568aac836e36eba2f3b1166b5 2868d10_0b753b54

Analysis symbol:
Rechecking for solution: 0
Report Id: 60512fbe-cea0-11e1-bf9d-005056963efe
- ---
- ---
Version=1
EventType=APPCRASH
EventTime=129868460014160626
ReportType=2
Consent=1
ReportIdentifier=60512fbf-cea0-11e1-bf9d-005056963efe
IntegratorReportIdentifier=60512fbe-cea0-11e1-bf9d-005056963efe
WOW64=1
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=mailmng.exe
Sig[1].Name=Application Version
Sig[1].Value=9.505.0.0
Sig[2].Name=Application Timestamp
Sig[2].Value=4e114033
Sig[3].Name=Fault Module Name
Sig[3].Value=api.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=0.0.0.0
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=4fb28666
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=0000778e
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=5542
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=55426ddbace10bc9b61434d699b40557
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=98bf
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=98bf29ee300471b8b36ba2374bd93201
UI[2]=C:\Program Files (x86)\Parallels\Plesk\admin\bin\mailmng.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Mail Manager stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Program Files (x86)\Parallels\Plesk\admin\bin\mailmng.exe
LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
LoadedModule[4]=C:\Windows\syswow64\SHLWAPI.dll
LoadedModule[5]=C:\Windows\syswow64\GDI32.dll
LoadedModule[6]=C:\Windows\syswow64\USER32.dll
LoadedModule[7]=C:\Windows\syswow64\ADVAPI32.dll
LoadedModule[8]=C:\Windows\syswow64\msvcrt.dll
LoadedModule[9]=C:\Windows\SysWOW64\sechost.dll
LoadedModule[10]=C:\Windows\syswow64\RPCRT4.dll
LoadedModule[11]=C:\Windows\syswow64\SspiCli.dll
LoadedModule[12]=C:\Windows\syswow64\CRYPTBASE.dll
LoadedModule[13]=C:\Windows\syswow64\LPK.dll
LoadedModule[14]=C:\Windows\syswow64\USP10.dll
LoadedModule[15]=C:\Windows\syswow64\ole32.dll
LoadedModule[16]=C:\Windows\syswow64\OLEAUT32.dll
LoadedModule[17]=C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9 a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVC P80.dll
LoadedModule[18]=C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9 a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVC R80.dll
LoadedModule[19]=C:\Windows\syswow64\PSAPI.DLL
LoadedModule[20]=C:\Windows\system32\LIBMYSQL602.dll
LoadedModule[21]=C:\Windows\syswow64\WS2_32.dll
LoadedModule[22]=C:\Windows\syswow64\NSI.dll
LoadedModule[23]=C:\Windows\syswow64\SHELL32.dll
LoadedModule[24]=C:\Windows\system32\IMM32.DLL
LoadedModule[25]=C:\Windows\syswow64\MSCTF.dll
LoadedModule[26]=C:\Windows\syswow64\CLBCatQ.DLL
LoadedModule[27]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[28]=C:\Windows\system32\rsaenh.dll
LoadedModule[29]=C:\Windows\system32\RpcRtRemote.dll
LoadedModule[30]=C:\PROGRA~2\IceWarp\api.dll
LoadedModule[31]=C:\Windows\system32\msimg32.dll
LoadedModule[32]=C:\Windows\system32\version.dll
LoadedModule[33]=C:\Windows\system32\mpr.dll
LoadedModule[34]=C:\Windows\system32\SHFolder.dll
LoadedModule[35]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec8 3dffa859149af\comctl32.dll
LoadedModule[36]=C:\Windows\system32\winspool.drv
LoadedModule[37]=C:\Windows\system32\wsock32.dll
LoadedModule[38]=C:\Windows\system32\ODBC32.DLL
LoadedModule[39]=C:\Windows\system32\odbcint.dll
LoadedModule[40]=C:\Windows\system32\iphlpapi.dll
LoadedModule[41]=C:\Windows\system32\WINNSI.DLL
LoadedModule[42]=C:\Windows\system32\dhcpcsvc.DLL
LoadedModule[43]=C:\Windows\system32\SXS.DLL
LoadedModule[44]=C:\Windows\system32\libmysql.dll
LoadedModule[45]=C:\Windows\system32\NLAapi.dll
LoadedModule[46]=C:\Windows\system32\napinsp.dll
LoadedModule[47]=C:\Windows\System32\mswsock.dll
LoadedModule[48]=C:\Windows\system32\DNSAPI.dll
LoadedModule[49]=C:\Windows\System32\winrnr.dll
LoadedModule[50]=C:\Windows\system32\rasadhlp.dll
LoadedModule[51]=C:\Windows\System32\wshtcpip.dll
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Mail Manager
AppPath=C:\Program Files (x86)\Parallels\Plesk\admin\bin\mailmng.exe
- ---

As we had to choose between an open hole in Plesk and risiking to break something,
we went for the "secure Plesk first"-way as the worldwide impact of the "old" vulnerability
didn't leave us much choice but to patch RIGHT AWAY.

So please Parallels, do not us down here now, we really need to get this back working!

Thanks a lot and best regards

Christian