A security flaw in the cPanel web hosting control panel allows attackers to circumvent two-factor authentication (2FA) checks via brute-force attacks for domains managed using vulnerable cPanel & WebHost Manager (WHM) versions.
cPanel is an administrative software regularly installed on shared web hosting services that allows admins and website owners to automate server and website management using a graphical user interface.
For a sense of scale regarding the number of websites potentially exposed to attacks by this flaw, cPanel says that over 70 million domains are hosted on servers using their web hosting management software.
Valid credentials needed for exploitation
The vulnerability, tracked as CVE-2020-27641, was found by researchers Michael Clark and Wes Wright of cybersecurity firm Digital Defense.
Attackers could abuse CVE-2020-27641 to bypass 2FA for cPanel accounts on potentially millions of websites because cPanel’s Security Policy did not block them from repeatedly submitting two-factor authentication codes.
“When MFA is enabled, a user who has the feature enabled may submit as many attempts for the MFA key as they would like without any lockout or delays to prevent a brute force attack,” the researchers said.
“This results in a scenario where an attacker with knowledge of valid credentials could bypass MFA protections on an account within a matter of hours. Our testing has demonstrated that with finer tuning of attack it can be accomplished in minutes.”
Attackers can only exploit the 2FA bypass flaw on accounts where they have “knowledge of or access to valid credentials.”
Security updates available
cPanel has issued security updates to address the vulnerability in cPanel & WHM versions 22.214.171.124, 126.96.36.199, and 188.8.131.52, available for download via Software Update.
On updated cPanel versions, attempts to brute force 2FA protection on any accounts will result in primary password validation failures with future attack attempts being rate limited by cPHulk.
“There is no reason to believe that these vulnerabilities have been made known to the public,” the company said last week after releasing the CVE-2020-27641 security updates.
“As such, cPanel will only release limited information about the vulnerabilities at this time.
“Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues.”
cPanel users are advised to reach out to the company directly for more details regarding the 2FA bypass flaw if needed.