3CX vulnerable | Aid In IT

3CX Version 14 Service Pack 3 seems to include/use very old and insecure versions of OpenSSL 1.0.1e (11th February 2013) and 1.0.1g (5th June 2014).

More info about the locations is below:

C:\Program Files\3CX Phone System\Instance1\Bin\libeay32.dll
C:\Program Files\3CX Phone System\Instance1\Bin\ssleay32.dll

1.0.1.7
1.0.1g (5 Jun 2014)

C:\ProgramData\3CX\Bin\SSL\libeay32.dll
C:\ProgramData\3CX\Bin\SSL\ssleay32.dll

1.0.1.5
1.0.1e (11 Feb 2013)

OpenSSL 1.0.1t is the latest release and resolves a number of serious vulnerabilities

https://www.openssl.org/news/openssl-1.0.1-notes.html

This means that 3CX V14 Service Pack 3 is likely to be vulnerable to all of the documented vulnerabilities prior to the 1.0.1t OpenSSL release. Using an IPS firewall may help to reduce the risk to your system until an updated version of OpenSSL is integrated into 3CX.

3CX Version 14 Service Pack 3 seems to include/use a very old and insecure PostgreSQL version 9.2.4 (released 04-04-2013).

There have been at least 13 releases since 9.2.4, the latest being 9.2.17 which have resolved the following vulnerabilities: CVE-2014-0066, CVE-2014-0065, CVE-2014-0064, CVE-2014-0063, CVE-2014-0062, CVE-2014-0061, CVE-2014-0060, CVE-2014-0067, CVE-2014-8161, CVE-2015-0244, CVE-2015-0243, CVE-2015-0242, CVE-2015-0241, CVE-2015-3167, CVE-2015-3166, CVE-2015-3165, CVE-2015-5288 and CVE-2016-0773

This means that 3CX V14 Service Pack 3 is likely to be vulnerable to all of the above vulnerabilities. Using an IPS firewall may help to reduce the risk to your system until an updated version of PostgreSQL is integrated into 3CX.

IT – Software and Hardware Support Resources

Aid In IT

Tag Archives: 3CX vulnerable

Outdated/vulnerable OpenSSL versions 1.0.1e/1.0.1g used in 3CX V14 SP3

Outdated and vulnerable PostgreSQL version 9.2.4 used in 3CX V14 SP3

IT – Software and Hardware Support Resources