3CX is warning its customers to disable any SQL database integrations due to potential risks that they describe as a potential vulnerability.
even though the security advisory released by 3cx lacks specific information as to what the issue is, it stresses to its customers to take preventative measures by disabling any MongoDB, MSSQL, MySQL and PostgreSQL database integrations.
“If you’re using an SQL Database integration it’s subject potentially to a vulnerability – depending upon the configuration. As a precautionary measure and whilst we work on a fix, please follow the instructions to disable it.”
Jourdan goes on to explain further that this issue only impacts 3cx versions 18 and 20. In addition not all CRM integrations are affected by this issue.
In a post on the community website was shared with a link to the security advisory, but with no additional information.
Supply Chain Attack March 2023
Back in March 2023 3CX had disclosed that their 3cx Electron based Desktop App was trojanized in a supply chain attack. This attack was carried out by UNC4736 North Korean hacking group with intent to distribute malware.
Disclosure of such a compromise was delayed by over a week to streams of customers reporting that the app had been tagged as malicious by several cyber security companies such as CrowdStrike, SentinelOne, ESET, Palo Alto Networks & SonicWall.
Cybersecurity firm Mandiant later discovered that the 3cx hack was a result of another supply chain attack which impacted the Trading Technologies stock trading automation company.
There are over 12 million daily users of 3cx, and it is used by over 350,000 businesses globally. Some of the high profile companies that use 3cx include Air France, UK’s NHS, BMW, Toyota, PepsiCo, American Express, Coca-Cola, IKEA, Honda & Renault.
Updates from 3cx to Bleeping Computer Regarding This Vulnerability
Two updates in regards to this issue had been shared with Bleeping Computer on the 15th December 2023.
Pierre Jourdan, 3cx CISO, saiad that around 0.25% of their user base “has SQL integrated.”
With 3cx having around 350,000 companies this percentage equates to around 875 customers that could be impacted by this vulnerability.
In the second update received by Bleeping computer, 3cx has yet to provide details on the vulnerability that prompted the warning, but 3cx confirmed that it is an SQL Injection vulnerability in the 3cx CRM integration with SQL databases.
This vulnerability was discovered on October 11th 2023. Both the security researcher and the Computer Emergency Response Team Coordination Center (CERT/CC) trying to report it to 3cx without success for over two months, granted contact was established with 3cx’s customer support on the 1st day.
The security researcher said that the 3cx Operations Director acknowledge the report on 15th December 2023. 3cx warned customers to disable SQL/CRM integrations to keep themselves from SQL injection attacks exploiting the flaw.
Detailed information was not provided to avoid malicious threat actors beginning to exploit the vulnerability in the wild.
A further update was provided on the 16th of December 2023.
3cx operations director Ruth Elizabeth Abbott confirmed the disclosure timeline that was shared by the researcher to Bleeping Computer.