2FA Bypass Vulnerability Patched in cPanel & WebHost Manager
cPanel last week released patches to address three vulnerabilities in cPanel & WebHost Manager (WHM), including one leading to two-factor authentication bypass.
A suite of tools built for Linux, cPanel & WHM helps hosting providers and users automate management and web hosting tasks. With over 20 years of web hosting experience, cPanel claims servers using cPanel & WHM have launched more than 70 million domains.
Identified by security researchers at Digital Defense, Inc., the 2FA bypass issue could allow attackers to perform brute-force attacks on cPanel & WHM. An attacker with knowledge of or access to valid credentials, the researchers say, could bypass the 2FA protections on an account within minutes.
The vulnerability, which has a CVSS score of 4.3, resulted in an attacker being able to repeatedly submit 2FA codes.
“Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk,” cPanel explains.
cPanel & WHM builds 220.127.116.11, 18.104.22.168, and 22.214.171.124 were found vulnerable.
The same builds were also found susceptible to URL parameter injection, due to the manner in which URIs to other interfaces were being created.
When creating URIs (by including user-supplied data in URI query parameters), URL encoding and not URI encoding was employed. Thus, users could have been tricked into performing unintended actions.
A third vulnerability addressed last week was a self-XSS issue in the WHM Transfer Tool interface, where error messages were not properly encoded, thus leading to the possible injection of HTML code into some messages. Builds 126.96.36.199 and 188.8.131.52 were found to be vulnerable.
“The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public,” cPanel said last week.
Related: 6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication
Related: Why Not Always Multi-Factor Authentication?