Uncontrolled search path element vulnerability in Plesk

Vulnerability

CVE-2023-4931 is an uncontrolled search path element vulnerability (CWE-427) in Plesk Installer version 3.27.0.0. The installer loads several DLLs—edputil.dll, samlib.dll, urlmon.dll, sspicli.dll, propsys.dll, and profapi.dll—by searching the application's own directory before system paths, making it possible for a local attacker to execute arbitrary code by injecting malicious DLLs into the same folder where Plesk Installer is installed [1].

Exploitation

An attacker must have local access to the system and be able to write files into the directory where Plesk Installer is running. No special privileges beyond local user access are required, but user interaction may be needed to trigger the installer execution. The attacker places a crafted DLL with one of the listed names into the installer's folder; when the installer runs, the operating system loads the malicious DLL instead of the legitimate system DLL, achieving code execution in the context of the installer process [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the Plesk Installer process. This can lead to full compromise of the Plesk management platform, including disclosure of server configuration data, modification of server settings, and potential lateral movement to other services. The CVSS v3.1 base score is 6.3 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L), indicating high confidentiality and integrity impact with limited availability impact [1].

Mitigation

The vulnerability has been fixed in Plesk Installer version 3.55.0 [1]. Users of affected versions should immediately update to the patched release. No workaround is provided in the available references; administrators should restrict local write access to the installer directory and monitor for suspicious DLL files as interim measures [1].