Breaking News

cPanel admins urged to close 2 Factor Authentication Vulnerability



cPanel admins urged to close 2 Factor Authentication Vulnerability

Administrators using cPanel applications to automate server management and help clients manage their sites are urged to update to the latest versions and to close the two-factor authentication vulnerability. 

The update affects WHM (Web Host Manager), which lets web hosting firms create accounts for customers and cPanel, which lets them create and manage websites, domains and email networks. 

cPanel & WHM is a suite of tools built for the Linux OS. 

cPanel states that more than 70 million domains have been launched on servers using two applications. 

"The two-factor authentication cPanel security policy did not prevent an attacker from repeatedly submitting a two-factor authentication code," the company said. 

"This allowed an attacker to bypass two-factor authentication checks using brute force techniques.

 Unsuccessful validation of a two-factor authentication code is now considered equivalent to account primary password verification and a limited rate failure by cPHulk. "cPHulk is a brute-force protection service. 

The updates also fix a cross-site vulnerability and URL parameter injection vulnerability in many cPanel interfaces. 

The company credits Texas-based security vendor Digital Defense with the discovery of a 2FA vulnerability. 

In a statement, the seller stated that internal testing showed that an attack could be completed within minutes. Hacker News noted that Zoom had to close a similar vulnerability in its numerical passcode.

No comments