VoIP communications firm 3CX warned prospects right now to disable SQL database integrations as a result of potential dangers related to what it describes as a possible vulnerability.
Though the safety advisory launched right now lacks any particular info relating to the problem, it advises prospects to take preventive measures by disabling their MongoDB, MsSQL, MySQL, and PostgreSQL database integrations.
“If you happen to’re utilizing an SQL Database integration it is topic probably to a vulnerability – relying upon the configuration,” 3CX’s chief info safety officer Pierre Jourdan mentioned.
“As a precautionary measure, and while we work on a repair, please comply with the directions under to disable it.”
Jourdan defined that the safety subject impacts solely variations 18 and 20 of 3CX’s Voice Over Web Protocol (VOIP) software program. Moreover, not all web-based CRM integrations are affected.
A publish on the corporate’s group web site was shared earlier right now with a hyperlink to the safety advisory, however no extra info.
Each the discussion board publish and the advisory have been locked when this text was printed and feedback weren’t allowed.
March 2023 provide chain assault
In March, 3CX disclosed that its 3CXDesktopApp Electron-based desktop shopper was trojanized in a provide chain assault by the UNC4736 North Korean hacking group to distribute malware.
The disclosure was delayed by the corporate taking on per week to react to a stream of buyer reviews saying that the software program had been tagged as malicious by a number of cybersecurity corporations, together with CrowdStrike, SentinelOne, ESET, Palo Alto Networks, and SonicWall.
As later found by cybersecurity agency Mandiant, the 3CX hack resulted from one other provide chain assault that impacted the Buying and selling Applied sciences inventory buying and selling automation firm.
3CX says its Telephone System has over 12 million every day customers and is utilized by greater than 350,000 companies worldwide, together with high-profile organizations and firms reminiscent of Air France, the UK’s Nationwide Well being Service, BMW, Toyota, PepsiCo, American Categorical, Coca-Cola, IKEA, Honda, and Renault.
Replace December 15, 15:52 EST: 3CX CISO Pierre Jourdan says that solely 0.25% of the consumer base “have sequel built-in.” With its merchandise utilized by not less than 350,000 corporations, as per 3CX, a minimal of 875 prospects may probably be impacted by this undisclosed safety subject.
Replace December 15, 18:41 EST: Whereas the corporate has but to supply detailed info on the safety flaw that prompted right now’s warning, BleepingComputer was instructed that it is an SQL Injection vulnerability within the 3CX CRM Integration with SQL databases.
The safety bug was found on October 11, with the safety researcher and the Laptop Emergency Response Staff Coordination Heart (CERT/CC) making an attempt to report it to 3CX with out success for over two months, regardless that contact was established with the corporate’s buyer assist on the primary day.
The safety researcher says 3CX’s Operations Director acknowledged the report right now, December 15. The corporate additionally warned prospects right now to disable SQL/CRM integrations to dam SQL injection assaults exploiting this flaw, however with out offering particulars that will permit malicious actors to achieve the knowledge wanted to begin abusing it within the wild.
Replace December 16, 04:51 EST: Ruth Elizabeth Abbott, 3CX’s Operations Director, has confirmed the disclosure timeline shared by the researcher in an announcement shared with BleepingComputer.
Replace December 16, 11:49 EST: Revised info relating to the 3CX March provide chain assault.
Whereas extra particulars about this vulnerability can be found, BleepingComputer has chosen to not disclose additional particulars presently to provide 3CX prospects extra time to safe their techniques.
