Critical cPHulk Denial-of-Service Vulnerability

[tylerl]

Yes, there's a critical Denial of Service vulnerability in cPHulkd. Yes you've already been told about it. Yes, it's affecting customers. Over the past 4 years I've assisted no lest than 130 cPanel customers who have been victim to this.

The attack is simple, and often not even intentional. Dozens of bots from all over the world attempt to log in to SSH or WHM using the "root" account. Most servers get thousands of these login attempts per day. Each attacker gets locked out after a default of 5 attempts. But several attackers hit at the same time, and after 15 attempts, the "root" account is locked out completely for 15 minutes. And 15 minutes later, the process starts over again. It isn't long before the hapless admin ends up putting himself on the two-week blacklist just by trying to get access to his own server.

I've talked to dozens of customers who have completely lost access to their servers because of this horrible feature. The official "solution" is to white-list the admin's IP, but if the admin doesn't have a static IP then this isn't an option at all.

Yes, this is a true security vulnerability; it can be leveraged by a determined attacker to prevent an administrator from logging in to stop any other sort of attack if the server is hacked. Since cPhulkd conveniently blocks ALL authentication for a given account, not just through cPanel but also SSH and every other avenue, the administrator is prevented from getting root access on his box at all by any means, allowing the attacker to proceed without fear of being stopped by the admin. Since many attackers have an entire botnet at their disposal, getting control of enough IPs to execute such an attack is no problem at all.

What's more, there isn't even the option to disable the account lock-out feature. So either you live with a vulnerable server, or you disable cPhulkd altogether. Those are the only two options users have.

This is absurd. This is stupid. This shows a complete lack of critical thinking or imagination.

I've reported this vulnerability no less than a dozen times by all sorts of channels over the past four years. I've sent patches, bug reports, security alerts, anything I could possibly think of. The response has invariably been moderate intrigue to the initial report, and then nothing. Nothing ever gets fixed, even though I've sent you the appropriate code several times.

cPanel must ship with account lockout disabled by default. No other configuration is remotely sensible.

 

[es2alna]

Hi,

I agree to what you said, I faced this issue a lot and finally the solution for me was disabling cPHulk and installing CSF.

This is the only method till this moment to prevent root account locking.

Hope to see a reply from cPanel.

Greetings,

 

[Infopro]

I've reported this vulnerability no less than a dozen times...

Do you have a ticket ID you could share with me please?

Thanks in advance.

 

[tylerl]

Do you have a ticket ID you could share with me please?
Thanks in advance.

Last time I reported this issue in the ticket system was about 2 years ago, and the ticket appears to be gone now. It looks like the portal only goes back 360 days.

And no, I'm not going to submit another ticket. I don't want this issue to again get lost in the paperwork pile. I'm putting this in your hands, feel free to submit the ticket yourself.

- - - Updated - - -

Here's the last time I reported the issue to this forum:
https://forums.cpanel.net/f145/disable-cphulk-per-account-blacklists-279791.html

SilentNinja reported it as ticket #2990655 in response. So that may be in your system.

 

[cPanelPeter]

Hello,

Thank you for providing that ticket. I reviewed it and from what I can tell, the customer (SilentNinja) provided an idea on how cPhulkd should work, and he was advised to submit his request via the Feature Request section. Then he closed the ticket. He never provided access to his server where we could investigate.

Therefore, I would either need to know what ticket you had 2 years ago or you would need to open a new one so that we can properly investigate this. Once you have a ticket, you can post it here, and we can update this thread accordingly. I can assure you that all tickets are answered and not skipped.

 

[quizknows]

You shouldn't need access to anyone's server to investigate. This is a very simple situation and fix.

I get several customers every week who cannot access their own servers as root due to cphulk's per-account lockout. Half of them panic thinking their server is rooted because their password magically "no longer works."

Locking out every single IP from root access just because a few nefarious ones are brute forcing / failing logins does present a DoS like situation. I can't tell you how many times I've had to drop entries from someones cphulk database just so they could access their own server.

cPhulk needs an overhaul. Not everyone has a static IP that can be whitelisted. Block the bad IPs not the target usernames.

 

[tylerl]

...He was advised to submit his request via the Feature Request section. Then he closed the ticket. He never provided access to his server where we could investigate.

No, no, no. We're not asking you to please add new features, nor are we asking for support diagnosing an issue with a specific server. There is no server. We're reporting to you dangerous code that you install on all servers.

Whether, internally, you need to handle this as a feature request or as a support issue or whether you need tickets filled out on carbon paper and submitted via carrier pigeon, I trust you will know how to handle it. I'm not going to fill out any more tickets, nor am I going to re-submit this report on some other forum. I've learned from experience that down that road lies madness.

You have been notified of this issue, and hopefully you see that it is a very real problem with very real security implications. So now we are relying on you as a cPanel employee and representative to take the necessary steps to see that it gets conveyed to someone who can do something about it. If that means you need to open a ticket, then open a ticket. If it means you need to post the request elsewhere, then do that.

I will be happy to provide any further assistance or information as necessary. But i can't spend any more energy trying to push this issue through the arcane machinery that is cPanel Tech Support.

 

[Nick57]

Same old story, it will never happen until many servers crashing and one is getting cPanel to court for not giving any attention to security issues. Same for IPv6 !!! Same for password change issue, which i struggle for so longggggg, cPanel is getting to old, behaves like a whale... slow in response... cPanel WAKE UP, listen to your users.

Perhaps we all should stop paying for cPanel ???

 

[ThinIce]

I can't directly comment on this one, but problems with lock outs over and above what one would expect back when it was first released did cause me to ignore cphulk in favour of csf and I can't say I've looked back.

cPanel chaps, if you could perhaps answer one salient point, is it in your opinion intended that the root account should become locked per tyler's post for safety reasons (i.e. against brute force) and the admin should have one or more whitelisted IPs if they expect to gain access. Reading between the lines this looks to be the case, but it might ease frustration if you said it plainly in this case.

I'm on the fence on this one btw - I see good security practise on one side and the presence of the dyndns style allow features in CSF on the other

 

[adv]

We actually all know this - not only root, but a single normal cpanel user can also got locked out because of those attempts. (Even the cpanel normal user's IP got no incorrect auth, still got locked out)
We know this for many years.
We also got this issue some time - restart cpanel will solve this out.

- - - Updated - - -

We also got this issue some time(root account being locked also) - restart cpanel will solve this out.

- - - Updated - - -

restart cpanel will solve this out.(/etc/init.d/cpanel restart )

 

[cPanelMichael]

Hello

Some valid points have been made in this thread. The changes suggested would require an overhaul of cPhulk. While it might seem like an unhelpful response to suggest opening a feature request, it's really the best way to see a change in the product. cPanel implemented a new feature request system towards the end of 2012. Feature requests are now directly reviewed by our development team. You will notice new feature requests often receive a response directly from a developer, even if it's just to ask for more information, or to ask for input on how to best implement a new option. This direct communication ensures the new features implemented with cPanel meet the expectations of our customers. You could even copy/paste the original post on this thread as the feature request:

Submit A Feature Request

Thank you.