Hi @ll, the current 3CXPhoneSystem11.exe (for Windows), available from <http://www.3cx.com/phone-system/download-phone-system/> (pricing see <http://www.3cx.com/ordering/pricing/>), digitally signed on 2013-01-28, installs the following COMPLETELY outdated and vulnerable 3rd-party (open source) libraries/components:
* libeay32.dll and ssleay32.dll version 0.9.8e (from 2007-02-23) of OpenSSL (see <http://www.openssl.org/>) in "C:\Program Files\3CX Phone System\bin\pgsql\bin\" (as part of the included PostgreSQL 8.3.7, see below) The current version of OpenSSL is 0.9.8y, see <http://www.openssl.org/>, it fixes at least 23 CVEs found in earlier versions downto 0.9.8e. * libeay32.dll and ssleay32.dll version 0.9.8k (from 2009-03-29) of OpenSSL (see <http://www.openssl.org/>) in "C:\Program Files\3CX Phone System\bin\" The current version of OpenSSL is 0.9.8y, see <http://www.openssl.org/>, it fixes at least 17 CVEs found in earlier versions downto 0.9.8k. * libeay32.dll and ssleay32.dll version 1.0.1 (from 2012-03-13) of OpenSSL (see <http://www.openssl.org/>) in "C:\Program Files\3CX Phone System\bin\webserver\" (as part of the included WWW server Abyss, see below) The current version of OpenSSL is 1.0.1e, see <http://www.openssl.org/>, it fixes at least 5 CVEs found in earlier versions downto 1.0.1. * zlib1.dll version 1.2.2 in "C:\Program Files\3CX Phone System\bin\" The current version of zlib is 1.2.8, see <http://zlib.net>, it fixes at least 2 CVEs found in 1.1.2 | Version 1.2.3 (July 2005) eliminates potential security | vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of | those versions should upgrade immediately. * zlib1.dll version 1.2.3 in "C:\Program Files\3CX Phone System\bin\pgsql\bin\" (as part of the included PostgreSQL 8.3.7, see below) The current version of zlib is 1.2.8, see <http://zlib.net> From there: | All users are encouraged to upgrade immediately. * zlib1.dll version 1.2.6 in "C:\Program Files\3CX Phone System\bin\webserver\" (as part of the included WWW server Abyss, see below) The current version of zlib is 1.2.8, see <http://zlib.net> From there: | All users are encouraged to upgrade immediately. * libxml2.dll and libxslt.dll version 2.6 of libxml (see <http://www.xmlsoft.org/>) in "C:\Program Files\3CX Phone System\bin\pgsql\bin\" (as part of the included PostgreSQL 8.3.7, see below) The current version of libxml is 2.9.0, see <http://www.xmlsoft.org/news.html>, version 2.6 is end-of-life for some years! <http://web.nvd.nist.gov/view/vuln/search-results?query=libxml2+2.6&search_type=all&cves=on> lists 6 CVEs for version 2.6. * Xerces version 2.5.0 (see <http://xerces.apache.org/xerces-c/>) in "C:\Program Files\3CX Phone System\bin\pgsql\bin\" (as part of the included PostgreSQL 8.3.7, see below) The current versions are 2.8.0 and 3.1.1, version 2.5.0 is end-of-life for some years! <http://web.nvd.nist.gov/view/vuln/search-results?query=xerces+2.5&search_type=all&cves=on> lists 1 CVE for version 2.5.0. * MIT Kerberos 5 version 1.6.3-kfw-3.2.2 (see <http://web.mit.edu/kerberos/>) in "C:\Program Files\3CX Phone System\bin\" The current version of Kerberos for Windows is 4.01 (see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it fixes about 20 CVEs in ealier versions downto 1.6.3-kfw-3.2.2 (see <http://web.mit.edu/kerberos/advisories/>). * MIT Kerberos 5 version 1.6.2-kfw-3.2.1 in "C:\Program Files\3CX Phone System\bin\pgsql\bin\" (as part of the included PostgreSQL 8.3.7, see below) The current version of Kerberos for Windows is 4.01 (see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it fixes about 20 CVEs in earlier versions downto 1.6.2-kfw-3.2.1 (see <http://web.mit.edu/kerberos/advisories/>). * PostgreSQL 8.3.7 (see <http://www.postgresql.org/>) in "C:\Program Files\3CX Phone System\bin\pgsql\bin\" The current version of PostgreSQL 8.3 is 8.3.23, it fixes about 20 CVEs since 8.3.7 (see <http://www.postgresql.org/support/security/>) * Abyss web server 2.8.0.2 X2 (see <http://www.aprelium.com/abyssws/>) in "C:\Program Files\3CX Phone System\bin\webserver\" This is the current version (released 2012-05-31), but built with vulnerable components too (see above), so yet another company that is unable to keep its software uptodate and protect its customers. Timeline: ~~~~~~~~~ 2013-05-05 vendor informed 2013-05-06 vendor replied: "3CX phone system is per objective evidence the safest phone system on the market. If you dont like it, use asterisk." I second that: dont use software from 3CX! Request your money back. 2013-05-06 report published Stefan Kanthak _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
