var-202203-0951
Vulnerability from variot
The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. 3CX of Iphone_os for 3cx Exists in a certificate validation vulnerability.Information may be obtained and information may be tampered with. #############################################################
COMPASS SECURITY ADVISORY
https://www.compass-security.com/research/advisories/
Product: 3CX Client for Windows (legacy), Android & iOS
Vendor: 3CX
CSNC ID: CSNC-2021-021
CVE ID: CVE-2021-45490
Subject: Missing Certificate Verification
CWE-ID: CWE-295 (Improper Certificate Validation)
Severity: Medium
Effect: Network Traffic Decryption and Manipulation
Author: Emanuel Duss emanuel.duss@compass-security.com
Date: 2022-03-17
Introduction
3CX is an open-platform office phone system that runs on premise on Windows or Linux. 3CX was built for mobility, with remote work apps that offer secured communication for the whole team. These applications do not verify the TLS certificate of the 3CX server. - There is no fix from the vendor at the moment. - The new Electron based 3CX Desktop App is not affected.
This allows an attacker between the 3CX application and the 3CX server to split the TLS traffic and therefore read and manipulate the transmitted data.
For example, the data required for provisioning a new device can be read every time when the app is started. This data can then be used to provision another app.
Thus, attackers can provision an own device and use the entire functionality of the app. This includes:
- List companies in the phone book
- Make phone calls
- Listen to voice box
- etc.
This attack can for example be reproduced by performing an ARP spoofing attack in the network against the target client and by using Burp Suite as a transparent HTTP proxy.
Vulnerability Classification
CVSS v3.1 Metrics [2]:
- CVSS Base Score: 6.5 (Medium)
- CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Workaround / Fix
3CX Vendor
The app should correctly verify the server's certificate using the system CA store or implement certificate pinning in the apps.
3CX Users
There is no security update for this vulnerability at the moment. According to the 3CX, the vulnerability will be tackled in future redesigns of the mobile apps.
Users of the legacy Windows client can switch to the new Electron based 3CX Desktop App which is not affected.
Timeline
2021-12-16: Vulnerability discovered 2021-12-17: Discussed vulnerability with our customer Asked 3CX for security contact on Twitter, community forum, support email and contact form. Got response via support mail. Security contact was dpo@3cx.com Provided details Requested CVE ID @ MITRE 2021-12-25: Assigned CVE-2021-45490 2022-01-03: Asked vendor if they understood the vulnerability. Answer: Report was distributed internally. 2022-01-18: Asked vendor for any updates. 2022-02-02: Asked vendor for any updates. 2022-02-10: Asked vendor for any updates. 3CX can't tell when the issue will be fixed. 2022-03-11: Asked vendor for any updates. 3CX thanked for the report. Issues will be tackled in future redesigns of the mobile apps. 2022-03-17: Coordinated public disclosure
Acknowledgement
Thanks 3CX for the coordinated dicslosure.
References
[1] https://www.3cx.com/ [2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N&version=3.1
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202203-0951",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "3cx",
"scope": "lte",
"trust": 1.0,
"vendor": "3cx",
"version": "18.0.11"
},
{
"model": "3cx",
"scope": "lte",
"trust": 1.0,
"vendor": "3cx",
"version": "18.0.4"
},
{
"model": "3cx",
"scope": "lte",
"trust": 1.0,
"vendor": "3cx",
"version": "2022-03-17"
},
{
"model": "3cx",
"scope": "lte",
"trust": 0.8,
"vendor": "3cx",
"version": "2022-03-17 and earlier"
},
{
"model": "3cx",
"scope": null,
"trust": 0.8,
"vendor": "3cx",
"version": null
},
{
"model": "3cx",
"scope": "lte",
"trust": 0.8,
"vendor": "3cx",
"version": "18.0.4 and earlier"
},
{
"model": "3cx",
"scope": "lte",
"trust": 0.8,
"vendor": "3cx",
"version": "18.0.11 and earlier"
},
{
"model": "3cx",
"scope": "eq",
"trust": 0.8,
"vendor": "3cx",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Emanuel Duss",
"sources": [
{
"db": "PACKETSTORM",
"id": "166376"
}
],
"trust": 0.1
},
"cve": "CVE-2021-45490",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-45490",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-45490",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-45490",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-45490",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-45490",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-202203-1927",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"db": "CNNVD",
"id": "CNNVD-202203-1927"
},
{
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. 3CX of Iphone_os for 3cx Exists in a certificate validation vulnerability.Information may be obtained and information may be tampered with. #############################################################\n#\n# COMPASS SECURITY ADVISORY\n# https://www.compass-security.com/research/advisories/\n#\n#############################################################\n#\n# Product: 3CX Client for Windows (legacy), Android \u0026 iOS\n# Vendor: 3CX\n# CSNC ID: CSNC-2021-021\n# CVE ID: CVE-2021-45490\n# Subject: Missing Certificate Verification\n# CWE-ID: CWE-295 (Improper Certificate Validation)\n# Severity: Medium\n# Effect: Network Traffic Decryption and Manipulation\n# Author: Emanuel Duss \u003cemanuel.duss@compass-security.com\u003e\n# Date: 2022-03-17\n#\n#############################################################\n\nIntroduction\n------------\n\n3CX is an open-platform office phone system that runs on premise on Windows or\nLinux. 3CX was built for mobility, with remote work apps that offer secured\ncommunication for the whole team. These applications do not verify\nthe TLS certificate of the 3CX server. \n- There is no fix from the vendor at the moment. \n- The new Electron based 3CX Desktop App is not affected. \n\nThis allows an attacker between the 3CX application and the 3CX server to split\nthe TLS traffic and therefore read and manipulate the transmitted data. \n\nFor example, the data required for provisioning a new device can be read every\ntime when the app is started. This data can then be used to provision another\napp. \n\nThus, attackers can provision an own device and use the entire functionality of\nthe app. This includes:\n\n- List companies in the phone book\n- Make phone calls\n- Listen to voice box\n- etc. \n\nThis attack can for example be reproduced by performing an ARP spoofing attack\nin the network against the target client and by using Burp Suite as a\ntransparent HTTP proxy. \n\n\nVulnerability Classification\n----------------------------\n\nCVSS v3.1 Metrics [2]:\n\n- CVSS Base Score: 6.5 (Medium)\n- CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\n\n\nWorkaround / Fix\n----------------\n\n# 3CX Vendor\n\nThe app should correctly verify the server\u0027s certificate using the system CA\nstore or implement certificate pinning in the apps. \n\n# 3CX Users\n\nThere is no security update for this vulnerability at the moment. According to\nthe 3CX, the vulnerability will be tackled in future redesigns of the mobile\napps. \n\nUsers of the legacy Windows client can switch to the new Electron based 3CX\nDesktop App which is not affected. \n\n\nTimeline\n--------\n\n2021-12-16: Vulnerability discovered\n2021-12-17: Discussed vulnerability with our customer\n Asked 3CX for security contact on Twitter, community forum, support\n email and contact form. \n Got response via support mail. Security contact was dpo@3cx.com\n Provided details\n Requested CVE ID @ MITRE\n2021-12-25: Assigned CVE-2021-45490\n2022-01-03: Asked vendor if they understood the vulnerability. \n Answer: Report was distributed internally. \n2022-01-18: Asked vendor for any updates. \n2022-02-02: Asked vendor for any updates. \n2022-02-10: Asked vendor for any updates. 3CX can\u0027t tell when the issue will\n be fixed. \n2022-03-11: Asked vendor for any updates. 3CX thanked for the report. \n Issues will be tackled in future redesigns of the mobile apps. \n2022-03-17: Coordinated public disclosure\n\n\nAcknowledgement\n---------------\n\nThanks 3CX for the coordinated dicslosure. \n\n\nReferences\n----------\n\n[1] https://www.3cx.com/\n[2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\u0026version=3.1\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-45490"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"db": "PACKETSTORM",
"id": "166376"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-45490",
"trust": 3.3
},
{
"db": "PACKETSTORM",
"id": "166376",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2021-019061",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202203-1927",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"db": "PACKETSTORM",
"id": "166376"
},
{
"db": "CNNVD",
"id": "CNNVD-202203-1927"
},
{
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"id": "VAR-202203-0951",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2652174
},
"last_update_date": "2024-11-23T23:00:53.184000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-295",
"trust": 1.0
},
{
"problemtype": "Illegal certificate verification (CWE-295) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://packetstormsecurity.com/files/166376/3cx-client-missing-tls-validation.html"
},
{
"trust": 2.4,
"url": "https://www.3cx.com/community/forums/posts-articles-news/"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-45490"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-45490/"
},
{
"trust": 0.1,
"url": "https://www.compass-security.com/research/advisories/"
},
{
"trust": 0.1,
"url": "https://www.3cx.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=av:n/ac:h/pr:n/ui:n/s:u/c:l/i:l/a:n\u0026version=3.1"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"db": "PACKETSTORM",
"id": "166376"
},
{
"db": "CNNVD",
"id": "CNNVD-202203-1927"
},
{
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"db": "PACKETSTORM",
"id": "166376"
},
{
"db": "CNNVD",
"id": "CNNVD-202203-1927"
},
{
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-07-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"date": "2022-03-21T17:36:33",
"db": "PACKETSTORM",
"id": "166376"
},
{
"date": "2022-03-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202203-1927"
},
{
"date": "2022-03-28T02:15:06.950000",
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-07-14T08:39:00",
"db": "JVNDB",
"id": "JVNDB-2021-019061"
},
{
"date": "2022-04-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202203-1927"
},
{
"date": "2024-11-21T06:32:19.597000",
"db": "NVD",
"id": "CVE-2021-45490"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202203-1927"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "3CX\u00a0 of \u00a0Iphone_os\u00a0 for \u00a03cx\u00a0 Certificate validation vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-019061"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202203-1927"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.