Hi @ll,

the current 3CXPhoneSystem11.exe (for Windows), available from
<http://www.3cx.com/phone-system/download-phone-system/> (pricing
see <http://www.3cx.com/ordering/pricing/>), digitally signed on
2013-01-28, installs the following COMPLETELY outdated and
vulnerable 3rd-party (open source) libraries/components:


* libeay32.dll and ssleay32.dll version 0.9.8e (from 2007-02-23)
  of OpenSSL (see <http://www.openssl.org/>)
  in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
  (as part of the included PostgreSQL 8.3.7, see below)

  The current version of OpenSSL is 0.9.8y, see
  <http://www.openssl.org/>, it fixes at least 23 CVEs found in
  earlier versions downto 0.9.8e.


* libeay32.dll and ssleay32.dll version 0.9.8k (from 2009-03-29)
  of OpenSSL (see <http://www.openssl.org/>)
  in "C:\Program Files\3CX Phone System\bin\"

  The current version of OpenSSL is 0.9.8y, see
  <http://www.openssl.org/>, it fixes at least 17 CVEs found in
  earlier versions downto 0.9.8k.


* libeay32.dll and ssleay32.dll version 1.0.1 (from 2012-03-13)
  of OpenSSL (see <http://www.openssl.org/>)
  in "C:\Program Files\3CX Phone System\bin\webserver\"
  (as part of the included WWW server Abyss, see below)

  The current version of OpenSSL is 1.0.1e, see
  <http://www.openssl.org/>, it fixes at least 5 CVEs found in
  earlier versions downto 1.0.1.


* zlib1.dll version 1.2.2
  in "C:\Program Files\3CX Phone System\bin\"

  The current version of zlib is 1.2.8, see <http://zlib.net>,
  it fixes at least 2 CVEs found in 1.1.2

  | Version 1.2.3 (July 2005) eliminates potential security
  | vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of
  | those versions should upgrade immediately.


* zlib1.dll version 1.2.3
  in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
  (as part of the included PostgreSQL 8.3.7, see below)

  The current version of zlib is 1.2.8, see <http://zlib.net>
  From there:
  | All users are encouraged to upgrade immediately.


* zlib1.dll version 1.2.6
  in "C:\Program Files\3CX Phone System\bin\webserver\"
  (as part of the included WWW server Abyss, see below)

  The current version of zlib is 1.2.8, see <http://zlib.net>
  From there:
  | All users are encouraged to upgrade immediately.


* libxml2.dll and libxslt.dll version 2.6 of libxml
  (see <http://www.xmlsoft.org/>)
  in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
  (as part of the included PostgreSQL 8.3.7, see below)

  The current version of libxml is 2.9.0, see
  <http://www.xmlsoft.org/news.html>, version 2.6 is end-of-life
  for some years!

  <http://web.nvd.nist.gov/view/vuln/search-results?query=libxml2+2.6&search_type=all&cves=on>
  lists 6 CVEs for version 2.6.


* Xerces version 2.5.0 (see <http://xerces.apache.org/xerces-c/>)

  in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
  (as part of the included PostgreSQL 8.3.7, see below)

  The current versions are 2.8.0 and 3.1.1, version 2.5.0 is
  end-of-life for some years!

  <http://web.nvd.nist.gov/view/vuln/search-results?query=xerces+2.5&search_type=all&cves=on>
  lists 1 CVE for version 2.5.0.


* MIT Kerberos 5 version 1.6.3-kfw-3.2.2 (see
  <http://web.mit.edu/kerberos/>)
  in "C:\Program Files\3CX Phone System\bin\"

  The current version of Kerberos for Windows is 4.01
  (see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it
  fixes about 20 CVEs in ealier versions downto 1.6.3-kfw-3.2.2
  (see <http://web.mit.edu/kerberos/advisories/>).


* MIT Kerberos 5 version 1.6.2-kfw-3.2.1
  in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
  (as part of the included PostgreSQL 8.3.7, see below)

  The current version of Kerberos for Windows is 4.01
  (see <http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html>), it
  fixes about 20 CVEs in earlier versions downto 1.6.2-kfw-3.2.1
  (see <http://web.mit.edu/kerberos/advisories/>).


* PostgreSQL 8.3.7 (see <http://www.postgresql.org/>)
  in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"

  The current version of PostgreSQL 8.3 is 8.3.23, it fixes about
  20 CVEs since 8.3.7 (see <http://www.postgresql.org/support/security/>)


* Abyss web server 2.8.0.2 X2 (see <http://www.aprelium.com/abyssws/>)
  in "C:\Program Files\3CX Phone System\bin\webserver\"

  This is the current version (released 2012-05-31), but built with
  vulnerable components too (see above), so yet another company that
  is unable to keep its software uptodate and protect its customers.


Timeline:
~~~~~~~~~

2013-05-05    vendor informed

2013-05-06    vendor replied:
              "3CX phone system is per objective evidence the safest phone
               system on the market. If you dont like it, use asterisk."

I second that: dont use software from 3CX! Request your money back.

2013-05-06    report published


Stefan Kanthak