Symptoms

A Parallels Business Automation - Standard (PBA-S) product security audit revealed a CSRF vulnerability that allows an attacker to target an administrator via a specially prepared web page. The consequences of the attack may include remote code execution and session hijacking of the PBA-S administrator account.

Another vulnerability is the open API on 80 port that allows attackers to perform almost any action by bypassing authorization.

The fix for these vulnerabilities will be included in a future update. However, taking into account the high risk nature of the vulnerabilities, we strongly recommend that PBA-S providers running PBA-S 4.3 and 4.5 install the hotfixes below.

Resolution

Please apply the following hotfixes for both vulnerabilities:

For the CSRF issue:

Download the hotfix installer and run it on a PBA-S node. The installer downloads all necessary patches and installs them.

Installation:

# wget http://download.pa.parallels.com/pbas/4.5/hotfixes/KB122542/installer.sh
# sh installer.sh

Confirm the installation by pressing "y" when prompted. Feel free to contact Technical Support in case of any difficulties with the hotfix installation.

Note: PBA-S services will be restarted automatically after the hotfix has been installed.

For the API issue:

Check and update the PBA-S configuration to deny API access to the server from non-trusted hosts because of this critical security risk:

The configuration file /etc/hspcd/conf/hspc_frontend.conf MUST look like:

<Location /hspc/xml-api>
    Order Deny,Allow
    Deny from all
</Location>

This means the API directory will not be accessible to anyone on the default port (80) - all access must be denied. If you are using a remote PBA-S store or some kind of API customization, use an SSL channel as described in the PBA-S SDK documentation section 4.

Note In order to apply the changes, restart/reload the httpd service:

# service httpd reload