Sunday, September 26, 2021

cPanel admins urged to close 2FA vulnerability

Administrators who use cPanel applications for automating server management and for helping customers manage their sites are being urged to update to the latest versions and close a two-factor authentication vulnerability.

The updates affect WHM (Web Host Manager), which lets web hosting firms create accounts for customers, and cPanel, which lets them create and manage websites, domains and email networks. cPanel & WHM is a suite of tools built for Linux OSs. cPanel says over 70 million domains have been launched on servers using the two applications.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes,” the company said. “This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

cPHulk is a brute-force protection service. The updates also fix a cross-site vulnerability and URL parameter injection vulnerabilities in multiple cPanel interfaces.

The company credits Texas-based security vendor Digital Defense with discovering the 2FA vulnerability. In a statement, the vendor said internal testing showed an attack can be accomplished in minutes.

The Hacker News noted that Zoom had to close a similar vulnerability in its numeric passcode.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News