2FA Bypass Flaw Reported in cPanel and WHM Software
Security researchers from Digital Defense have found a significant security problem in cPanel, a common software suite that facilitates the management of a web hosting server. Attackers could exploit the flaw to bypass two-factor authentication (2FA) for cPanel accounts and manage the associated websites and conduct a brute force attack to infiltrate user accounts.
Such an attack can be accomplished in minutes, according to researchers with Digital Defense, enabling hackers to gain unwarranted access to users’ website management tools and compromise the sites they host on cPanel.
“Digital Defense, Inc., a leader in vulnerability and threat management solutions, announced on 24th November 2020 that its Vulnerability Research Team (VRT) uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform.” reads the post published by Digital Defense. “c_Panel &WHM version 11.90.0.5 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.”
The flaw could have a dramatic effect because web hosting companies are currently using the software suite to handle more than 70 million domains worldwide. The experts found that the cPanel & WebHost Manager (WHM) program 2FA implementation was vulnerable to brute-force attacks that allowed attackers to guess URL parameters and bypass 2FA. The exploitation of this bug requires that attackers have valid credentials for a targeted account.
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.” reads a security advisory released by the company. “Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”
To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt. The issue has now been resolved in several builds including 11.92.0.2, 11.90.0.17 and 11.86.0.32
