cPanel 2FA bypass vulnerability can be exploited through brute force

A two-factor authentication (2FA) bypass vulnerability affecting the popular cPanel & WHM software suite may allow attackers to access secured accounts, Digital Defense researchers have found.

The vulnerability has been patched last week and, by now, web hosting providers have hopefully upgraded their installations. Still, admins of sites that are managed through cPanel should check whether their provider did perform the update (and demand they do it if they haven’t).

About the cPanel 2FA bypass vulnerability

cPanel & WebHost Manager (WHM) is a suite of tools used by many hosting providers and users. The former use the WHM interface to automate server management and web hosting tasks, and the latter use the cPanel interface to manage their sites, intranets, and online properties.

SEC-575, as it has been labeled by the cPanel Security Team, makes the two factor authentication feature available to users vulnerable to brute force attack.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques,” the team explained.

The flaw is not deemed to be critical, mainly because exploiting it also requires that attackers have valid credentials for a targeted account. Still, attackers could overcome that hurdle with a convincing phishing email.

“Digital Defense’s internal testing demonstrated that an attack can be accomplished in minutes,” the company noted.

The vulnerability has been fixed (along with two others) in cPanel & WHM versions 92.0.2, 90.0.17, and 86.0.32.

“Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk,” the cPanel Security Team explained the fix.