Digital Defense has disclosed details of a two-factor authentication vulnerability in web hosting platform cPanel & WebHost Manager (WHM). WHM is the management system behind more than 70 million domains. The vulnerability allowed the two-factor authentication to be subjected to a brute force attack. Digital Defense was able to show it took just minutes for a successful attack to take place.
However, there is a caveat. The attacker would need knowledge of, or access to valid credentials. This narrows the attack surface to stolen credentials or insider attacks. That still means more than 70 million sets of credentials (assuming one per domain). It also means that web hosting firms will need to make sure they have updated all instances of WHM.
cPanel moves to fix the authentication vulnerability
News of the vulnerability was withheld until cPanel could issue an update to its platform. cPanel issued an update on November 17. It says the issue is resolved in builds:
- 11.92.0.2
- 11.90.0.17
- 11.86.0.32
Mike Cotton, senior vice president of engineering at Digital Defense, said: “Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”
Enterprise Times: What does this mean
The majority of websites hosted on Linux will be using cPanel and WHM as their management suite. It is the most popular and widely deployed software around. For there to be such a serious flaw as this shows how important testing is. Although Digital Defense classed this as a zero-day attack, it allowed cPanel time to fix under responsible disclosure rules.
However, many hosting companies will not have updated to the latest version. All website owners must log in and check what version of cPanel they are using. If it is not one of the three above, they should contact their hosting provider and ask for an update.