Home / vulnerabilitiesPDF  

3CX Phone 11 Outdated Libraries

Posted on 07 May 2013
Source : packetstormsecurity.org Link

 

Hi @ll,

the current 3CXPhoneSystem11.exe (for Windows), available from
<http://www.3cx.com/phone-system/download-phone-system/> (pricing
see <http://www.3cx.com/ordering/pricing/>), digitally signed on
2013-01-28, installs the following COMPLETELY outdated and
vulnerable 3rd-party (open source) libraries/components:

* libeay32.dll and ssleay32.dll version 0.9.8e (from 2007-02-23)
of OpenSSL (see <http://www.openssl.org/>)
in "C:Program Files3CX Phone Systeminpgsqlin"
(as part of the included PostgreSQL 8.3.7, see below)

The current version of OpenSSL is 0.9.8y, see
<http://www.openssl.org/>, it fixes at least 23 CVEs found in
earlier versions downto 0.9.8e.

* libeay32.dll and ssleay32.dll version 0.9.8k (from 2009-03-29)
of OpenSSL (see <http://www.openssl.org/>)
in "C:Program Files3CX Phone Systemin"

The current version of OpenSSL is 0.9.8y, see
<http://www.openssl.org/>, it fixes at least 17 CVEs found in
earlier versions downto 0.9.8k.

* libeay32.dll and ssleay32.dll version 1.0.1 (from 2012-03-13)
of OpenSSL (see <http://www.openssl.org/>)
in "C:Program Files3CX Phone Systeminwebserver"
(as part of the included WWW server Abyss, see below)

The current version of OpenSSL is 1.0.1e, see
<http://www.openssl.org/>, it fixes at least 5 CVEs found in
earlier versions downto 1.0.1.

* zlib1.dll version 1.2.2
in "C:Program Files3CX Phone Systemin"

The current version of zlib is 1.2.8, see <http://zlib.net>,
it fixes at least 2 CVEs found in 1.1.2

| Version 1.2.3 (July 2005) eliminates potential security
| vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of
| those versions should upgrade immediately.

* zlib1.dll version 1.2.3
in "C:Program Files3CX Phone Systeminpgsqlin"
(as part of the included PostgreSQL 8.3.7, see below)

The current version of zlib is 1.2.8, see <http://zlib.net>
From there:
| All users are encouraged to upgrade immediately.

* zlib1.dll version 1.2.6
in "C:Program Files3CX Phone Systeminwebserver"
(as part of the included WWW server Abyss, see below)

The current version of zlib is 1.2.8, see <http://zlib.net>
From there:
| All users are encouraged to upgrade immediately.

* libxml2.dll and libxslt.dll version 2.6 of libxml
(see <http://www.xmlsoft.org/>)
in "C:Program Files3CX Phone Systeminpgsqlin"
(as part of the included PostgreSQL 8.3.7, see below)

The current version of libxml is 2.9.0, see
<http://www.xmlsoft.org/news.html>, version 2.6 is end-of-life
for some years!

<http://web.nvd.nist.gov/view/vuln/search-results?query=libxml2+2.6&search_type=all&cves=on>
lists 6 CVEs for version 2.6.

* Xerces version 2.5.0 (see <http://xerces.apache.org/xerces-c/>)

in "C:Program Files3CX Phone Systeminpgsqlin"
(as part of the included PostgreSQL 8.3.7, see below)

The current versions are 2.8.0 and 3.1.1, version 2.5.0 is
end-of-life for some years!

<http://web.nvd.nist.gov/view/vuln/search-results?query=xerces+2.5&search_type=all&cves=on>
lists 1 CVE for version 2.5.0.

* MIT Kerberos 5 version 1.6.3-kfw-3.2.2 (see
<http://web.mit.edu/kerberos/>)
in "C:Program Files3CX Phone Systemin"

The current version of Kerberos for Windows is 4.01
(see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it
fixes about 20 CVEs in ealier versions downto 1.6.3-kfw-3.2.2
(see <http://web.mit.edu/kerberos/advisories/>).

* MIT Kerberos 5 version 1.6.2-kfw-3.2.1
in "C:Program Files3CX Phone Systeminpgsqlin"
(as part of the included PostgreSQL 8.3.7, see below)

The current version of Kerberos for Windows is 4.01
(see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it
fixes about 20 CVEs in earlier versions downto 1.6.2-kfw-3.2.1
(see <http://web.mit.edu/kerberos/advisories/>).

* PostgreSQL 8.3.7 (see <http://www.postgresql.org/>)
in "C:Program Files3CX Phone Systeminpgsqlin"

The current version of PostgreSQL 8.3 is 8.3.23, it fixes about
20 CVEs since 8.3.7 (see <http://www.postgresql.org/support/security/>)

* Abyss web server 2.8.0.2 X2 (see <http://www.aprelium.com/abyssws/>)
in "C:Program Files3CX Phone Systeminwebserver"

This is the current version (released 2012-05-31), but built with
vulnerable components too (see above), so yet another company that
is unable to keep its software uptodate and protect its customers.

Timeline:
~~~~~~~~~

2013-05-05 vendor informed

2013-05-06 vendor replied:
"3CX phone system is per objective evidence the safest phone
system on the market. If you dont like it, use asterisk."

I second that: dont use software from 3CX! Request your money back.

2013-05-06 report published

Stefan Kanthak

 

TOP

Malware :

Exploits :