A newly discovered vulnerability allows brute-force attacks to bypass the two-factor authentication set up in cPanel, the popular web hosting control panel. The company has announced that the particular flaw is targeting cPanel and WebHost Manager versions of the tool. This means that thousands of customers who rely on cPanel to build and maintain websites/blogs would come under this threat.
Researchers discover cPanel vulnerability
The vulnerability was discovered by the Vulnerability Research Team (VRT) from Digital Defense. This problem occurs because cPanel does not limit how many two-factor authentication codes can be submitted. So, it practically allows the brute-force attacker to provide entries until the right one is reached. Even worse, brute-force attacks can be made in times as low as minutes.
Attackers may use this brute-force method to access sensitive information from the web hosting account. However, valid credentials are required for the attack to happen. When the attacker has the user-name and password, they bypass the two-factor authentication system, which researchers believe is still far from being secure, using the CVE-2020-27641 vulnerability.
“When MFA is enabled, a user who has the feature enabled may submit as many attempts for the MFA key as they would like without any lockout or delays to prevent a brute force attack. This results in a scenario where an attacker with knowledge of valid credentials could bypass MFA protections on an account within a matter of hours. Our testing has demonstrated that with finer tuning of attack it can be accomplished in minutes,” Digital Defense said.
The security researchers highlight that valid login credentials are needed to perform the attack. Therefore, keeping the login credentials secure would be another step to stay away from the attack. The other option is to update the latest version of cPanel, which has launched the corresponding security updates. These updates will prevent the possibility of brute-force attacks by modifying the submission policy of 2FA codes.
cPanel officials have said that the issue has been fixed and that not much information about the vulnerability was made available to the public. The company said that it refuses to share more information about the issue but will do so once sufficient time has passed. During this time, cPanel believes all servers will have updated their cPanel software to the latest versions, containing the fix for the issue.
However, if a user feels that they are infected by this vulnerability or need more information on how to fix it, they are suggested to get in touch with cPanel customer support.