Digital Defense researchers have found a new two-factor authentication (2FA) bypass vulnerability which affects the cPanel and WHM (WebHost Manager) Software Suite. According to Digital Defense, the vulnerability may allow attackers to access secured accounts.
The vulnerability was patched last week by cPanel and WHM. Web hosting providers should have upgraded their installations by now. That being said, administrators of sites that are managed through cPanel should check whether their Web Hosting provider did perform the update (and demand they do it if they haven’t).
More on the cPanel 2FA bypass vulnerability
cPanel & WebHost Manager (WHM) is a suite of tools used by many hosting providers and website admins. Hosting providers use the WHM interface to automate server management and web hosting tasks, while website admins use the cPanel interface to manage their sites, intranets, and online properties.
SEC-575 is the protocol that governs 2FA authentication. It is also known as the “Information Technology Protocol for Mobile Device Security and Ethical Hacking”. This protocol makes available the 2FA authentication feature, and well as the inherent vulnerability to 2FA brute force attacks.
Brute Force attacks are attacks made on a target using credentials (or in this case 2FA authentication) in rapid succession. This process can eventually lead to unauthorized access due to the enormous amount of credentials being used on a target in such a short duration. Although any brute force attack raises red flags, this flaw has not been deemed critical. This is because, in order for the attacker to actually gain access to the target, they would need not only the correct 2FA code but also the correct user credentials as well.
It should also be noted that Digital Defense’s internal testing determined that should the attacker be armed with the correct user credentials, it would only take minutes to gain access to the target using a brute force 2FA authentication attack.
According to sources at cPanel and WHM, the vulnerability was successfully patched in release versions 92.0.2, 90.0.17 and 86.0.32.
Failed 2FA validation attempts are now treated the same as a failure to provide the account’s primary password. This is controlled by “cPHulk”, which is an IT service that provides server protection against brute force attacks.
Prevent your WebSite from attackers
In today’s cyber-economy, attackers are relentlessly trying to get unauthorized access to web sites. Preventing them access is the only way to ensure that your Company’s WebSite is not compromised. There are a number of different tools available to accomplish this. Do not let an attacker get the upper hand. Get in touch with us (we are in Vancouver and Abbotsford) to find expert help and harden your the WebSite’s entry points.
TSG Computer Services is a Vancouver and Abbotsford, BC based IT Support company who specializes in Security and Solutions for Increased Productivity. Contact us now for a FREE CONSULTATION to see how we can tighten your WebSite’s security.
