Administrators who use cPanel applications for automating server management and for helping customers manage their sites are being urged to update to the latest versions and close a two-factor authentication vulnerability.
The updates affect WHM (Web Host Manager), which lets web hosting firms create accounts for customers, and cPanel, which lets them create and manage websites, domains and email networks. cPanel & WHM is a suite of tools built for Linux OSs. cPanel says over 70 million domains have been launched on servers using the two applications.
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes,” the company said. “This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”
cPHulk is a brute-force protection service. The updates also fix a cross-site vulnerability and URL parameter injection vulnerabilities in multiple cPanel interfaces.
The company credits Texas-based security vendor Digital Defense with discovering the 2FA vulnerability. In a statement, the vendor said internal testing showed an attack can be accomplished in minutes.
The Hacker News noted that Zoom had to close a similar vulnerability in its numeric passcode.