Two-factor authentication flaw in web hosting platform (Image Credit: Halacious on Unsplash)Digital Defense has disclosed details of a two-factor authentication vulnerability in web hosting platform cPanel & WebHost Manager (WHM). WHM is the management system behind more than 70 million domains. The vulnerability allowed the two-factor authentication to be subjected to a brute force attack. Digital Defense was able to show it took just minutes for a successful attack to take place.

However, there is a caveat. The attacker would need knowledge of, or access to valid credentials. This narrows the attack surface to stolen credentials or insider attacks. That still means more than 70 million sets of credentials (assuming one per domain). It also means that web hosting firms will need to make sure they have updated all instances of WHM.

cPanel moves to fix the authentication vulnerability

News of the vulnerability was withheld until cPanel could issue an update to its platform. cPanel issued an update on November 17. It says the issue is resolved in builds:

Two-factor authentication flaw in web hosting platformMike Cotton, senior vice president of engineering at Digital Defence (Image Credit: LinkedIn)
Mike Cotton, senior vice president of engineering at Digital Defence

Mike Cotton, senior vice president of engineering at Digital Defense, said: “Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”

Enterprise Times: What does this mean

The majority of websites hosted on Linux will be using cPanel and WHM as their management suite. It is the most popular and widely deployed software around. For there to be such a serious flaw as this shows how important testing is. Although Digital Defense classed this as a zero-day attack, it allowed cPanel time to fix under responsible disclosure rules.

However, many hosting companies will not have updated to the latest version. All website owners must log in and check what version of cPanel they are using. If it is not one of the three above, they should contact their hosting provider and ask for an update.



Please enter your comment!
Please enter your name here