A previously undisclosed vulnerability in the web hosting (opens in new tab) control panel cPanel as well as the company's WebHost Manager (WHM) has been discovered by the vulnerability and threat management firm Digital Defense.
cPanel and WHM are a suite of Linux tools that allow hosting providers and their customers to automate server management and other web hosting related tasks. cPanel (opens in new tab) has served the global hosting community for more than 20 years and over 70m domains have been launched using its software.
The vulnerability, discovered by Digital Defense which affects cPanel and WHM version 11.90.05 (90.0 Build 5), is a two-factor authentication (opens in new tab) bypass flaw that can be exploited by brute force attacks. As a result, an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on a user's cPanel or WHM account.
- We've rounded up the best web hosting deals (opens in new tab) ahead of Black Friday
- These are the best VPS hosting (opens in new tab) providers for your website
- We've also highlighted the best WordPress hosting (opens in new tab)
CPanel provided further details on the vulnerability in a recent security advisory (opens in new tab), saying:
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”
Two-factor authentication bypass flaw
According to Digital Defense, the firm's internal testing demonstrated that an attack can be carried out against a vulnerable cPanel or WHM account in minutes.
Thankfully though, cPanel has patched the flaw in builds 184.108.40.206, 220.127.116.11, 18.104.22.168 and users just need to install the latest updates to avoid falling victim to any potential brute force attacks (opens in new tab) exploiting the vulnerability.
SVP of engineering at Digital Defense, Mike Cotton explained in a press release (opens in new tab) that the company promptly reached out to cPanel following its discovery, saying:
“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”
- Also check out our complete list of the best web hosting (opens in new tab)services