A previously undisclosed vulnerability in the web hosting control panel cPanel as well as the company's WebHost Manager (WHM) has been discovered by the vulnerability and threat management firm Digital Defense.
cPanel and WHM are a suite of Linux tools that allow hosting providers and their customers to automate server management and other web hosting related tasks. cPanel has served the global hosting community for more than 20 years and over 70m domains have been launched using its software.
The vulnerability, discovered by Digital Defense which affects cPanel and WHM version 11.90.05 (90.0 Build 5), is a two-factor authentication bypass flaw that can be exploited by brute force attacks. As a result, an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on a user's cPanel or WHM account.
- We've rounded up the best web hosting deals ahead of Black Friday
- These are the best VPS hosting providers for your website
- We've also highlighted the best WordPress hosting
CPanel provided further details on the vulnerability in a recent security advisory, saying:
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”
Two-factor authentication bypass flaw
According to Digital Defense, the firm's internal testing demonstrated that an attack can be carried out against a vulnerable cPanel or WHM account in minutes.
Thankfully though, cPanel has patched the flaw in builds 18.104.22.168, 22.214.171.124, 126.96.36.199 and users just need to install the latest updates to avoid falling victim to any potential brute force attacks exploiting the vulnerability.
SVP of engineering at Digital Defense, Mike Cotton explained in a press release that the company promptly reached out to cPanel following its discovery, saying:
“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”
- Also check out our complete list of the best web hosting services