3CX warns customers to disable SQL database integrations

Update December 17, 15:30 EST: As shared today by 3CX CEO Nick Galea, the SQL injection flaw was discovered by independent security researcher Theo Stein in the 3CX CRM Integration and is now tracked as CVE-2023-49954.

"If one of the Integration templates has been used (MsSQL, MySQL, PostgreSQL) they can be subject to SQL injection attacks if the 3CX server is available on the internet and no Web application firewall is in front of the 3CX machine. In that case it is possible to manipulate the original SQL query executed against a database," Galea said.

"Only the above-mentioned SQL Database Templates are affected (MsSQL, MySQL, PostgreSQL) and none of the other web CRM templates. Customers using MongoDB or any of our web based CRM integration templates are not affected by this."

3CX plans to provide a hotfix (18.0.9.23, 20.0.0.1494) on Monday to fix the security issue. Until this fix is released, customers are advised to disable CRM integration by configuring the CRM solution setting to 'None.'

---

VoIP communications company 3CX warned customers today to disable SQL database integrations due to potential risks associated with what it describes as a potential vulnerability.

Although the security advisory released today lacks any specific information regarding the issue, it advises customers to take preventive measures by disabling their MongoDB, MsSQL, MySQL, and PostgreSQL database integrations.

"If you're using an SQL Database integration it's subject potentially to a vulnerability - depending upon the configuration," 3CX's chief information security officer Pierre Jourdan said.

"As a precautionary measure, and whilst we work on a fix, please follow the instructions below to disable it."

Jourdan explained that the security issue impacts only versions 18 and 20 of 3CX's Voice Over Internet Protocol (VOIP) software. Additionally, not all web-based CRM integrations are affected.

A post on the company's community website was shared earlier today with a link to the security advisory, but no additional information.

Both the forum post and the advisory were locked when this article was published and comments were not allowed.

March 2023 supply chain attack

In March, 3CX disclosed that its 3CXDesktopApp Electron-based desktop client was trojanized in a supply chain attack by the UNC4736 North Korean hacking group to distribute malware.

The disclosure was delayed by the company taking over a week to react to a stream of customer reports saying that the software had been tagged as malicious by several cybersecurity companies, including CrowdStrike, SentinelOne, ESET, Palo Alto Networks, and SonicWall.

As later discovered by cybersecurity firm Mandiant, the 3CX hack resulted from another supply chain attack that impacted the Trading Technologies stock trading automation company.

3CX says its Phone System has over 12 million daily users and is used by more than 350,000 businesses worldwide, including high-profile organizations and companies such as Air France, the UK's National Health Service, BMW, Toyota, PepsiCo, American Express, Coca-Cola, IKEA, Honda, and Renault.

Update December 15, 15:52 EST: 3CX CISO Pierre Jourdan says that only 0.25% of the user base "have sequel integrated." With its products used by at least 350,000 companies, as per 3CX, a minimum of 875 customers could potentially be impacted by this undisclosed security issue.

Update December 15, 18:41 EST: While the company has yet to provide detailed information on the security flaw that prompted today's warning, BleepingComputer was told that it's an SQL Injection vulnerability in the 3CX CRM Integration with SQL databases.

The security bug was discovered on October 11, with the security researcher and the Computer Emergency Response Team Coordination Center (CERT/CC) trying to report it to 3CX without success for over two months, even though contact was established with the company's customer support on the first day.

The security researcher says 3CX's Operations Director acknowledged the report today, December 15. The company also warned customers today to disable SQL/CRM integrations to block SQL injection attacks exploiting this flaw, but without providing details that would allow malicious actors to gain the information needed to start abusing it in the wild.

Update December 16, 04:51 EST: Ruth Elizabeth Abbott, 3CX's Operations Director, has confirmed the disclosure timeline shared by the researcher in a statement shared with BleepingComputer.

Update December 16, 11:49 EST: Revised information regarding the 3CX March supply chain attack.