VoIP communications firm 3CX warned clients as we speak to disable SQL database integrations on account of potential dangers related to what it describes as a possible vulnerability.
Though the safety advisory launched as we speak lacks any particular data relating to the problem, it advises clients to take preventive measures by disabling their MongoDB, MsSQL, MySQL, and PostgreSQL database integrations.
“Should you’re utilizing an SQL Database integration it is topic probably to a vulnerability – relying upon the configuration,” 3CX’s chief data safety officer Pierre Jourdan stated.
“As a precautionary measure, and while we work on a repair, please observe the directions beneath to disable it.”
Jourdan defined that the safety challenge impacts solely variations 18 and 20 of 3CX’s Voice Over Web Protocol (VOIP) software program. Moreover, not all web-based CRM integrations are affected.
A submit on the corporate’s neighborhood web site was shared earlier as we speak with a hyperlink to the safety advisory, however no extra data.
Each the discussion board submit and the advisory have been locked when this text was revealed and feedback weren’t allowed.
March 2023 provide chain assault
In March, 3CX disclosed that its 3CXDesktopApp Electron-based desktop consumer was trojanized in a provide chain assault by the UNC4736 North Korean hacking group to distribute malware.
The disclosure was delayed by the corporate taking on per week to react to a stream of buyer reviews saying that the software program had been tagged as malicious by a number of cybersecurity corporations, together with CrowdStrike, SentinelOne, ESET, Palo Alto Networks, and SonicWall.
As later found by cybersecurity agency Mandiant, the 3CX hack resulted from one other provide chain assault that impacted the Buying and selling Applied sciences inventory buying and selling automation firm.
3CX says its Telephone System has over 12 million day by day customers and is utilized by greater than 350,000 companies worldwide, together with high-profile organizations and corporations comparable to Air France, the UK’s Nationwide Well being Service, BMW, Toyota, PepsiCo, American Categorical, Coca-Cola, IKEA, Honda, and Renault.
Replace December 15, 15:52 EST: 3CX CISO Pierre Jourdan says that solely 0.25% of the consumer base “have sequel built-in.” With its merchandise utilized by a minimum of 350,000 corporations, as per 3CX, a minimal of 875 clients might probably be impacted by this undisclosed safety challenge.
Replace December 15, 18:41 EST: Whereas the corporate has but to offer detailed data on the safety flaw that prompted as we speak’s warning, BleepingComputer was instructed that it is an SQL Injection vulnerability within the 3CX CRM Integration with SQL databases.
The safety bug was found on October 11, with the safety researcher and the Laptop Emergency Response Group Coordination Middle (CERT/CC) attempting to report it to 3CX with out success for over two months, despite the fact that contact was established with the corporate’s buyer help on the primary day.
The safety researcher says 3CX’s Operations Director acknowledged the report as we speak, December 15. The corporate additionally warned clients as we speak to disable SQL/CRM integrations to dam SQL injection assaults exploiting this flaw, however with out offering particulars that may enable malicious actors to achieve the knowledge wanted to start out abusing it within the wild.
Replace December 16, 04:51 EST: Ruth Elizabeth Abbott, 3CX’s Operations Director, has confirmed the disclosure timeline shared by the researcher in a press release shared with BleepingComputer.
Replace December 16, 11:49 EST: Revised data relating to the 3CX March provide chain assault.
Whereas extra particulars about this vulnerability can be found, BleepingComputer has chosen to not disclose additional particulars at the moment to offer 3CX clients extra time to safe their methods.
