More than 70 million sites are managed via cPanel software, according to the company.
Security researchers from Digital Defense have discovered a major security issue in cPanel, a popular software suite that facilitates the management of a web hosting server.
Attackers could exploit the flaw to bypass two-factor authentication (2FA) for cPanel accounts and manage the associated websites.
“Digital Defense, Inc., a leader in vulnerability and threat management solutions, today announced that its Vulnerability Research Team (VRT) uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform.” reads the post published by Digital Defense. “c_Panel &WHM version 220.127.116.11 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.”
The flaw could have a dramatic impact because the software suite is currently used by web hosting providers to manage more than 70 million domains across the world.
The experts discovered that the 2FA implementation of cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed attackers to guess URL parameters and bypass 2FA.
The exploitation of this bug requires that attackers have valid credentials for a targeted account.
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.” reads a security advisory released by the company. “Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”
Researchers added that attackers could bypass the 2FA in a few minutes. This issue was addressed with the release of the following builds:
Website admins urge to check if their hosting provider has updated their cPanel installation.
(SecurityAffairs – hacking, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.