On updated cPanel versions, attempts to brute force 2FA protection on any accounts will result in primary password validation failures with future attack attempts being rate limited by cPHulk.
#Bypass cpanel software
Our testing has demonstrated that with finer tuning of attack it can be accomplished in minutes."Īttackers can only exploit the 2FA bypass flaw on accounts where they have "knowledge of or access to valid credentials." Security updates availableĬPanel has issued security updates to address the vulnerability in cPanel & WHM versions 11.92.0.2, 11.90.0.17, and 11.86.0.32, available for download via Software Update. "This results in a scenario where an attacker with knowledge of valid credentials could bypass MFA protections on an account within a matter of hours. "When MFA is enabled, a user who has the feature enabled may submit as many attempts for the MFA key as they would like without any lockout or delays to prevent a brute force attack," the researchers said. The vulnerability, tracked as CVE-2020-27641, was found by researchers Michael Clark and Wes Wright of cybersecurity firm Digital Defense.Īttackers could abuse CVE-2020-27641 to bypass 2FA for cPanel accounts on potentially millions of websites because cPanel's Security Policy did not block them from repeatedly submitting two-factor authentication codes. Valid credentials needed for exploitation
#Bypass cpanel code
“Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk,” the cPanel Security Team explained the fix.A security flaw in the cPanel web hosting control panel allows attackers to circumvent two-factor authentication (2FA) checks via brute-force attacks for domains managed using vulnerable cPanel & WebHost Manager (WHM) versions.ĬPanel is an administrative software regularly installed on shared web hosting services that allows admins and website owners to automate server and website management using a graphical user interface.įor a sense of scale regarding the number of websites potentially exposed to attacks by this flaw, cPanel says that over 70 million domains are hosted on servers using their web hosting management software. The vulnerability has been fixed ( along with two others) in cPanel & WHM versions 92.0.2, 90.0.17, and 86.0.32. “Digital Defense’s internal testing demonstrated that an attack can be accomplished in minutes,” the company noted.
Still, attackers could overcome that hurdle with a convincing phishing email. The flaw is not deemed to be critical, mainly because exploiting it also requires that attackers have valid credentials for a targeted account. This allowed an attacker to bypass the two-factor authentication check using brute force techniques,” the team explained. “The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. SEC-575, as it has been labeled by the cPanel Security Team, makes the two factor authentication feature available to users vulnerable to brute force attack. The former use the WHM interface to automate server management and web hosting tasks, and the latter use the cPanel interface to manage their sites, intranets, and online properties. About the cPanel 2FA bypass vulnerabilityĬPanel & WebHost Manager (WHM) is a suite of tools used by many hosting providers and users.
#Bypass cpanel update
Still, admins of sites that are managed through cPanel should check whether their provider did perform the update (and demand they do it if they haven’t). The vulnerability has been patched last week and, by now, web hosting providers have hopefully upgraded their installations. A two-factor authentication (2FA) bypass vulnerability affecting the popular cPanel & WHM software suite may allow attackers to access secured accounts, Digital Defense researchers have found.
0 kommentar(er)
