The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"Lucky Thirteen" SSL Vulnerability - WHM/cPanel impact

Discussion in 'Security' started by Avanti, Feb 7, 2013.

  1. Avanti

    Avanti Registered

    Joined:
    Nov 27, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
  2. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    Hello,

    AFAIK, cPanel uses OpenSSL with TLS 1.1. I am not sure if the ciphersuites though..

    A reply from cPanel official will be appreciate :)
     
  3. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    OpenSSL on cPanel & WHM servers is not provided by cPanel & WHM, rather it is provided by your operating system. To find information on when your installation will be updated it is recommended you ask your operating system provider. This is usually Red Hat, CentOS or CloudLinux.

    As is disclosed in the linked report, as well as others, the Lucky 13 vulnerability is difficult to exploit. It requires near access to your server. Usually this means "on the same LAN" or local segment.

    Prioritizing RC4 in your cipher suite is the recommended means of protecting your services against Lucky 13, at least until your OpenSSL installation is updated. RC4 has some academic weaknesses, but appears to be robust enough in OpenSSL's implementation so as to be "safe", at least according to my understanding.
     

Share This Page