exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

3CX Client Missing TLS Validation

3CX Client Missing TLS Validation
Posted Mar 21, 2022
Authored by Emanuel Duss

The 3CX Client for Windows (legacy), Android, and iOS fails to properly validate TLS certificates.

tags | advisory
systems | windows, ios
advisories | CVE-2021-45490
SHA-256 | 074017ebf0abca4d37a8b67b240f167c0bec4bbfda44f67fe65cc2c9c71455a1

3CX Client Missing TLS Validation

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: 3CX Client for Windows (legacy), Android & iOS
# Vendor: 3CX
# CSNC ID: CSNC-2021-021
# CVE ID: CVE-2021-45490
# Subject: Missing Certificate Verification
# CWE-ID: CWE-295 (Improper Certificate Validation)
# Severity: Medium
# Effect: Network Traffic Decryption and Manipulation
# Author: Emanuel Duss <emanuel.duss@compass-security.com>
# Date: 2022-03-17
#
#############################################################

Introduction
------------

3CX is an open-platform office phone system that runs on premise on Windows or
Linux. 3CX was built for mobility, with remote work apps that offer secured
communication for the whole team. With the Android, iOS and Windows apps,
business communication is no longer tied to the office building. [1]

During a customer project, we identified a security vulnerability in the 3CX
clients for Windows (legacy), Android and iOS. These applications do not verify
the TLS certificate of the 3CX server.


Affected
--------

- All versions of the 3CX application for Windows (legacy), Android and iOS are
affected.
- There is no fix from the vendor at the moment.
- The new Electron based 3CX Desktop App is not affected.


Description
-----------

The 3CX clients for Windows (legacy), Android, and iOS do not verify the TLS
certificate of the 3CX server.

This allows an attacker between the 3CX application and the 3CX server to split
the TLS traffic and therefore read and manipulate the transmitted data.

For example, the data required for provisioning a new device can be read every
time when the app is started. This data can then be used to provision another
app.

Thus, attackers can provision an own device and use the entire functionality of
the app. This includes:

- List companies in the phone book
- Make phone calls
- Listen to voice box
- etc.

This attack can for example be reproduced by performing an ARP spoofing attack
in the network against the target client and by using Burp Suite as a
transparent HTTP proxy.


Vulnerability Classification
----------------------------

CVSS v3.1 Metrics [2]:

- CVSS Base Score: 6.5 (Medium)
- CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N


Workaround / Fix
----------------

# 3CX Vendor

The app should correctly verify the server's certificate using the system CA
store or implement certificate pinning in the apps.

# 3CX Users

There is no security update for this vulnerability at the moment. According to
the 3CX, the vulnerability will be tackled in future redesigns of the mobile
apps.

Users of the legacy Windows client can switch to the new Electron based 3CX
Desktop App which is not affected.


Timeline
--------

2021-12-16: Vulnerability discovered
2021-12-17: Discussed vulnerability with our customer
Asked 3CX for security contact on Twitter, community forum, support
email and contact form.
Got response via support mail. Security contact was dpo@3cx.com
Provided details
Requested CVE ID @ MITRE
2021-12-25: Assigned CVE-2021-45490
2022-01-03: Asked vendor if they understood the vulnerability.
Answer: Report was distributed internally.
2022-01-18: Asked vendor for any updates.
2022-02-02: Asked vendor for any updates.
2022-02-10: Asked vendor for any updates. 3CX can't tell when the issue will
be fixed.
2022-03-11: Asked vendor for any updates. 3CX thanked for the report.
Issues will be tackled in future redesigns of the mobile apps.
2022-03-17: Coordinated public disclosure


Acknowledgement
---------------

Thanks 3CX for the coordinated dicslosure.


References
----------

[1] https://www.3cx.com/
[2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N&version=3.1


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close