3CX warning: Disable SQL database integrations (Dec. 15, 2023)

Sicherheit (Pexels, allgemeine Nutzung)[German]Warning to customers of the telephone system provider 3CX who have integrated an SQL database into the software for CRM purposes. The manufacturer recommends temporarily deactivating this SQL database integration. Although there are no details of what is wrong, the provider issued in a security warning which SQL databases and software versions are affected and how the SQL connection can be deactivated in the Management Console.


The 3CX system

3CX is a software-based telephone system for extensions (PBX). The 3CX telephone system is based on the SIP standard (Session Initiation Protocol). The solution enables extensions to make calls via the public switched telephone network (PSTN) or via Voice over Internet Protocol (VoIP) services on premises, in the cloud or via a cloud service operated by 3CX. The 3CX telephone system is available for Windows, Linux and Raspberry Pi[ and supports standard SIP soft/hardphones, VoIP services, faxes, voice and web meetings as well as conventional PSTN telephone lines. Details can be found on the manufacturer's website.

Warning about SQL database integration

There are probably customers who have implemented an SQL database connection to the 3CX system. 3CX states that only 0.25 % of users use such a solution for Customer Relationship Management (CRM); especially as it is supposed to be an "old style" integration, which is intended for on-premises networks secured by a firewall. Such an SQL database integration is potentially vulnerable, depending on the configuration, writes 3CX Pierre Jourdan on December 15, 2023 in the 3CX blog post Security Advisory Security Advisory: Disable your SQL Database Integrations.

The colleagues from Bleeping Computer noticed the C3X blog post and they point out the security warning in the above tweet and in this post. There are no details from 3CX about the vulnerability or what the problem with the SQL database integration is. The manufacturer lists the following SQL databases as affected:

  • MongoDB
  • MsSQL
  • MySQL
  • PostgreSQL

The manufacturer recommends temporarily deactivating the database connection if versions 18 and 20 of the 3CX software are used. The 3CX blog post contains information on how the deactivation can be carried out in the Management Console. The manufacturer is working on eliminating the potential vulnerability and will provide more information "later".


SQL injection vulnerability CVE-2023-49954

Addendum: A blog reader pointed me to the entry for CVE-2023-49954 for an SQL injection vulnerability on Facebook (thanks for that). According to the description, 3CX could have been working on the vulnerability since October 11, 2023.

Absolute fail from 3CX!

The person who found the vulnerability by chance tried tried to contact someone at 3CX to initiate a responsible disclosure. The 3CX Customer Support wanted to know a license number – just crazy.

The person who has discovered the flaw then contacted CERT/CC and opened a case, because a vulnerability remains a vulnerability even if you don't know the license number.

To cut a long story short: CERT/CC was also unable to establish contact with 3CX. Further contact attempts by the discoverer also came to nothing.

Deadline expired, information published

After the deadline set by CERT/CC had expired, the discoverer of the vulnerability then posted the entry for CVE-2023-49954 on Github. As the reader wrote to me on Facebook: "Read through the timeline and get annoyed. As a 3CX user, I feel like I've been made a fool of."

Similar articles:
3CX desktop app (probably) infected in a supply chain attack (March 29, 2023)
Additional information about the compromised 3CX desktop app

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *