A gap security in cPanel web hosting application allows attackers to bypass two-factor authentication (2FA) by attacks brute-force σε domains that use vulnerable versions of cPanel – WebHost Manager (WHM).
CPanel is a management software that is installed on web hosting servers and allows administrators and site owners to automate server and page management, providing a graphical interface.
The vulnerability has been recorded as CVE-2020-27641, and was discovered by the company's researchers Michael Clark and Wes Wright Digital Defense.
Attackers could use CVE-2020-27641 to bypass 2FA on cPanel accounts on millions of websites because the cPanel Security Policy does not stop them when they repeatedly submit codeof two-factor authentication.
"Once the MFA is enabled, a user can make as many attempts as they want to find the MFA key without delay and without a ban to prevent a brute-force attack," the researchers said.
"This leads to a scenario where an intruder with valid credentials could bypass MFA protections on an account in a matter of hours. "Our tests have shown that with the best coordination of the attack, it can be achieved in a matter of minutes."
The cPanel has already issued security updates for vulnerabilities in cPanel & WHM versions 11.92.0.2, 11.90.0.17 and 11.86.0.32. All new releases are available through the Software Update.
Of course, anyone using cPanel is advised to update immediately, or contact the company directly for more details if needed.
