Vulnerability and threat management solutions provider, Digital Defense announced that its Vulnerability Research Team uncovered a previously undisclosed vulnerability that affects the popular web hosting platform. The two-factor authentication bypass flaw was found in cPanel &WHM version 11.90.0.5, making it vulnerable to a brute force attack which may cause an attacker with knowledge of or access to valid credentials to bypass the two-factor authentication protection.
Within minutes
Digital Defense also stated that the attack can be accomplished in minutes. The flaw is tracked as “SEC-575” and it has been remedied by cPanel in the 11.92.0.2, 11.90.0.17, and 11.86.0.32 versions of the software. The flaw is caused by a lack of rate-limiting during 2FA during logins, which also allows third parties to submit 2FA codes repeatedly. cPanel stated in its advisory,
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute-force techniques.”