#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  3CX Phone System
# Vendor:   3CX
# CSNC ID:  CSNC-2021-022
# CVE ID:   CVE-2021-45491
# Subject:  Exportable Cleartext Passwords
# CWE-ID:   CWE-257 (Storing Passwords in a Recoverable Format)
# Severity: Medium
# Effect:   Credential Reuse
# Author:   Emanuel Duss <emanuel.duss@compass-security.com>
# Date:     2022-03-17
#
#############################################################

Introduction
------------

3CX is an open-platform office phone system that runs on premise on Windows or
Linux. 3CX was built for mobility, with remote work apps that offer secured
communication for the whole team. With the Android, iOS and Windows apps,
business communication is no longer tied to the office building. [1]

During a customer project, we identified a security vulnerability in the 3CX
system. The user passwords of the 3CX system are stored in plain text in the
database and are also exportable in the administration interface.


Affected
--------

- All versions of the 3CX application are affected.
- There is no fix from the vendor.


Description
-----------

The user passwords of the 3CX system are stored in plain text in the database
and are also exportable in the administration interface.

This can be verified by exporting the credentials via the admin interface or by
looking into the SQL database. This issue is also already documented in the
community forum since 2019 [2].

The storage of passwords in a recoverable format makes them subject to password
reuse attacks by malicious users. In fact, it should be noted that recoverable
encrypted passwords provide no significant benefit over plaintext passwords
since they are subject not only to reuse by malicious attackers but also by
malicious insiders. If a system administrator can recover a password directly,
or use a brute force search on the available information, the administrator can
use the password on other accounts. [3]


Vulnerability Classification
----------------------------

CVSS v3.1 Metrics [4]:

- CVSS Base Score: 5.5 (Medium)
- CVSS Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N


Workaround / Fix
----------------

# 3CX Vendor

A password hash function such as PBKDF2, bcrypt or scrypt should be used for
passwords. The passwords should also be provided with a salt that is generated
individually for each user. This can make attacks that use rainbow tables or
pre-calculated wordlists more difficult.

# 3CX Users

There is no security update for this vulnerability at the moment. According to
the 3CX, the vulnerability will be tackled in future redesigns of the
management console.


Timeline
--------

2021-12-16: Vulnerability discovered
2021-12-17: Discussed vulnerability with our customer
            Asked 3CX for security contact on Twitter, community forum, support
            email and contact form.
            Got response via support mail. Security contact was dpo@3cx.com
            Provided details
            Requested CVE ID @ MITRE
2021-12-25: Assigned CVE-2021-45491
2022-01-03: Asked vendor if they understood the vulnerability.
            Answer: Report was distributed internally.
2022-01-18: Asked vendor for any updates.
2022-02-02: Asked vendor for any updates.
2022-02-10: Asked vendor for any updates. 3CX can't tell when the issue will
            be fixed.
2022-03-11: Asked vendor for any updates. 3CX thanked for the report. Issues
            will be tackled in future redesigns of the management console.
2022-03-17: Coordinated public disclosure


Acknowledgement
---------------

Thanks 3CX for the coordinated disclosure.


References
----------

[1] https://www.3cx.com/
[2] https://www.3cx.de/forum/threads/klartext-passwort-willkommen-mail-also-auch-in-db.94280/
[3] https://cwe.mitre.org/data/definitions/257.html
[4] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N&version=3.1