Popular web hosting control platform cPanel had a major security bug. Specifically, the vulnerability affected the cPanel two-factor authentication feature that could allow password guessing brute force.
cPanel Two-factor Authentication Vulnerable
Reportedly, Digital Defense Inc has disclosed a serious security vulnerability in cPanel two-factor authentication.
Sharing the details via a press release, the cybersecurity firm revealed that the two-factor authentication feature in cPanel lacked an attempt limit. Hence, it became possible for an adversary to guess the 2FA code via brute-forcing upon knowing the valid login credentials. In turn, the attacker could take control of the entire website.
cPanel &WHM version 184.108.40.206 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.
Describing the vulnerability (SEC-575) in an advisory, cPanel stated,
The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.
According to Digital Defense, performing this attack would only take minutes.
Although, cPanel advisory shows that the vulnerability received a CVSS score of 4.3, which hints at its medium-severity. However, given the huge user base of cPanel, this serious vulnerability poses a threat to over 70 million domains.
Patches Rolled Out
Upon discovering the vulnerability, the researchers reached out to the vendors to report the bug.
Eventually, the cPanel team addressed the flaw and released fixes with builds 220.127.116.11, 18.104.22.168, and 22.214.171.124.
The researchers then disclosed the bug publicly after the patches arrived.
Despite that it had a vulnerability, applying 2FA is still important to protect the cPanel accounts. Therefore, users must check their respective cPanel platform versions to ensure running the updated version. This is particularly important for those who have enabled two-factor authentication on cPanel login.