Vulnerability and threat management solutions provider, Digital Defense announced that its Vulnerability Research Team uncovered a previously undisclosed vulnerability that affects the popular web hosting platform. The two-factor authentication bypass flaw was found in cPanel &WHM version 220.127.116.11, making it vulnerable to a brute force attack which may cause an attacker with knowledge of or access to valid credentials to bypass the two-factor authentication protection.
Digital Defense also stated that the attack can be accomplished in minutes. The flaw is tracked as “SEC-575” and it has been remedied by cPanel in the 18.104.22.168, 22.214.171.124, and 126.96.36.199 versions of the software. The flaw is caused by a lack of rate-limiting during 2FA during logins, which also allows third parties to submit 2FA codes repeatedly. cPanel stated in its advisory,
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute-force techniques.”