"Lucky Thirteen" SSL Vulnerability - WHM/cPanel impact

[Avanti]

I've been reading about "Lucky Thirteen" SSL vulnerabilty and recommended settings for apache to mitigate against this vulnerability (New "Lucky Thirteen" SSL Vulnerabilities: CloudFlare Users Protected - CloudFlare blog)

Just wondering if cPanel SSL implementation is vulnerable as well and what, if any, settings can be changed to mitigate against this vilnerability.

 

[Murtaza_t]

Hello,

AFAIK, cPanel uses OpenSSL with TLS 1.1. I am not sure if the ciphersuites though..

A reply from cPanel official will be appreciate

 

[cPanelKenneth]

OpenSSL on cPanel & WHM servers is not provided by cPanel & WHM, rather it is provided by your operating system. To find information on when your installation will be updated it is recommended you ask your operating system provider. This is usually Red Hat, CentOS or CloudLinux.

As is disclosed in the linked report, as well as others, the Lucky 13 vulnerability is difficult to exploit. It requires near access to your server. Usually this means "on the same LAN" or local segment.

Prioritizing RC4 in your cipher suite is the recommended means of protecting your services against Lucky 13, at least until your OpenSSL installation is updated. RC4 has some academic weaknesses, but appears to be robust enough in OpenSSL's implementation so as to be "safe", at least according to my understanding.