cPanel and Web Host Manager (WHM) are two popular administrative tools for web site administrators published by cPanel LLC. According to cPanel, over 70 million web sites are deployed that use their software for administration. One of the security features of the software is 2-factor authentication using a mobile application such as Google Authenticator, Microsoft Authenticator, or Duo. Recently, a flaw was discovered that allows attackers to guess the 2 factor authentication token using a brute force attack.
To better understand the attack, let’s first step back and take a look at how 2-factor authentication tokens are generated. The most common method that is implemented using the mobile applications listed above is an algorithm named the Time-Based One-Time Password Algorithm (TOTP).
The process of authenticating a user takes place between a validator, in this case, the cPanel software, and an authenticator, in this case the Google Authenticator mobile app. But before a user can be authenticated, the validator and the authenticator must share a secret. Without this secret, an attacker cannot generate a valid one-time password. When the user activates 2 Factor authentication within cPanel, they either scan this QR code or manually enter the Account and Key data, the shared secret, into the authenticator Now both cPanel and the authenticator app contain the secret Key value. TOTP, as the name implies, generates tokens based on the current time. The secret Key is then combined with the current time to generate a One-timePassword for the user. As long as their clocks are close enough to matching the current time, both the validator and the authenticator will now generate the same one-time passwords at any given time.
Now you might be asking - if the secret is combined with the current time, how often does the password change? Every second? Every minute? That is actually a great question.
The RFC document that describes how the TOTP algorithm works recommends each one-timepassword be valid for 30 seconds. This provides enough time for the user to interact with the smart phone app, read the one-time password and type it into the login screen.
This means that each one-time password is valid for at least 30 seconds. But that’s only part of the story. To account for clock differences between the validator and the authenticator, the RFC further recommends that the validator accept one-time passwords from 2 time steps in the past and one-timestep in the future. This means that at any given time, four one-time passwords will be accepted by the validator and each one will be valid for 2 minutes.
In the black and white diagram here we see an illustration of this.
At time T, which represents the current time, OTP 0 is valid for the current time. However, the validator in our case cPanel, according to the RFC should accept the other three OTPs represented here. One that would be valid at the current time plus 30 seconds and two others that were valid 30 seconds ago and 60 seconds ago.
Typically, the one-time passwords are made up of 6 digits, no letters or special characters, meaning there are only 1 million possible values.
So now we come to the cPanel application and how it accepts the one-time password from the user. The user submits this through the web browser. When the user clicks the Continue button, the value is sent to the cPanel software. The one-time password is then checked against the TOTP values that were calculated on the server, and if it matches one of those values, the user is allowed to continue. Otherwise, the user is given an error message.
However, it was discovered that writing there is no limit to the number of times a user can submit the one-time password to the server. There was also no lockout after several invalid submissions. That means that using a bit of programming knowledge, a program can be written that will send one-time password guesses at a high rate of speed hoping that one of them will match one of the valid one-time passwords the server will accept. Remember that those values are good for around 2 minutes which is a long time when you are using software to automate the process. Additionally, with only 1 million possible values, it wouldn’t take very long to test all 1 million. More than 2 minutes? Yes, but less than a day.
This vulnerability has been officially assigned CVE-2020-2764 and the issue is patched for versions of the software greater than what is listed here on the slide.
We recommend that if you are using cPanel, please upgrade as soon as possible.
A possible mitigation if you are unable to deploy this patch immediately would be to deploy a rate limiting solution for cPanel authentication endpoints. This can be done using a reverse proxy such as nginx or haproxy.
Red Sky Alliance has been tracking cyber criminals for years. Throughout our research we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of Ransomware are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments