| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6B1B0E4211364AFD858E5AA2F2B1EA9A@localhost>
Date: Mon, 6 May 2013 21:27:58 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: VULNERABLE and COMPLETELY outdated 3rd-party
libraries/components used in 3CX Phone System 11
Hi @ll,
the current 3CXPhoneSystem11.exe (for Windows), available from
<http://www.3cx.com/phone-system/download-phone-system/> (pricing
see <http://www.3cx.com/ordering/pricing/>), digitally signed on
2013-01-28, installs the following COMPLETELY outdated and
vulnerable 3rd-party (open source) libraries/components:
* libeay32.dll and ssleay32.dll version 0.9.8e (from 2007-02-23)
of OpenSSL (see <http://www.openssl.org/>)
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of OpenSSL is 0.9.8y, see
<http://www.openssl.org/>, it fixes at least 23 CVEs found in
earlier versions downto 0.9.8e.
* libeay32.dll and ssleay32.dll version 0.9.8k (from 2009-03-29)
of OpenSSL (see <http://www.openssl.org/>)
in "C:\Program Files\3CX Phone System\bin\"
The current version of OpenSSL is 0.9.8y, see
<http://www.openssl.org/>, it fixes at least 17 CVEs found in
earlier versions downto 0.9.8k.
* libeay32.dll and ssleay32.dll version 1.0.1 (from 2012-03-13)
of OpenSSL (see <http://www.openssl.org/>)
in "C:\Program Files\3CX Phone System\bin\webserver\"
(as part of the included WWW server Abyss, see below)
The current version of OpenSSL is 1.0.1e, see
<http://www.openssl.org/>, it fixes at least 5 CVEs found in
earlier versions downto 1.0.1.
* zlib1.dll version 1.2.2
in "C:\Program Files\3CX Phone System\bin\"
The current version of zlib is 1.2.8, see <http://zlib.net>,
it fixes at least 2 CVEs found in 1.1.2
| Version 1.2.3 (July 2005) eliminates potential security
| vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of
| those versions should upgrade immediately.
* zlib1.dll version 1.2.3
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of zlib is 1.2.8, see <http://zlib.net>
From there:
| All users are encouraged to upgrade immediately.
* zlib1.dll version 1.2.6
in "C:\Program Files\3CX Phone System\bin\webserver\"
(as part of the included WWW server Abyss, see below)
The current version of zlib is 1.2.8, see <http://zlib.net>
From there:
| All users are encouraged to upgrade immediately.
* libxml2.dll and libxslt.dll version 2.6 of libxml
(see <http://www.xmlsoft.org/>)
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of libxml is 2.9.0, see
<http://www.xmlsoft.org/news.html>, version 2.6 is end-of-life
for some years!
<http://web.nvd.nist.gov/view/vuln/search-results?query=libxml2+2.6&search_type=all&cves=on>
lists 6 CVEs for version 2.6.
* Xerces version 2.5.0 (see <http://xerces.apache.org/xerces-c/>)
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current versions are 2.8.0 and 3.1.1, version 2.5.0 is
end-of-life for some years!
<http://web.nvd.nist.gov/view/vuln/search-results?query=xerces+2.5&search_type=all&cves=on>
lists 1 CVE for version 2.5.0.
* MIT Kerberos 5 version 1.6.3-kfw-3.2.2 (see
<http://web.mit.edu/kerberos/>)
in "C:\Program Files\3CX Phone System\bin\"
The current version of Kerberos for Windows is 4.01
(see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it
fixes about 20 CVEs in ealier versions downto 1.6.3-kfw-3.2.2
(see <http://web.mit.edu/kerberos/advisories/>).
* MIT Kerberos 5 version 1.6.2-kfw-3.2.1
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of Kerberos for Windows is 4.01
(see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it
fixes about 20 CVEs in earlier versions downto 1.6.2-kfw-3.2.1
(see <http://web.mit.edu/kerberos/advisories/>).
* PostgreSQL 8.3.7 (see <http://www.postgresql.org/>)
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
The current version of PostgreSQL 8.3 is 8.3.23, it fixes about
20 CVEs since 8.3.7 (see <http://www.postgresql.org/support/security/>)
* Abyss web server 2.8.0.2 X2 (see <http://www.aprelium.com/abyssws/>)
in "C:\Program Files\3CX Phone System\bin\webserver\"
This is the current version (released 2012-05-31), but built with
vulnerable components too (see above), so yet another company that
is unable to keep its software uptodate and protect its customers.
Timeline:
~~~~~~~~~
2013-05-05 vendor informed
2013-05-06 vendor replied:
"3CX phone system is per objective evidence the safest phone
system on the market. If you dont like it, use asterisk."
I second that: dont use software from 3CX! Request your money back.
2013-05-06 report published
Stefan Kanthak
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists