Hi @ll,
the current 3CXPhoneSystem11.exe (for Windows), available from
(pricing
see ), digitally signed on
2013-01-28, installs the following COMPLETELY outdated and
vulnerable 3rd-party (open source) libraries/components:
* libeay32.dll and ssleay32.dll version 0.9.8e (from 2007-02-23)
of OpenSSL (see )
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of OpenSSL is 0.9.8y, see
, it fixes at least 23 CVEs found in
earlier versions downto 0.9.8e.
* libeay32.dll and ssleay32.dll version 0.9.8k (from 2009-03-29)
of OpenSSL (see )
in "C:\Program Files\3CX Phone System\bin\"
The current version of OpenSSL is 0.9.8y, see
, it fixes at least 17 CVEs found in
earlier versions downto 0.9.8k.
* libeay32.dll and ssleay32.dll version 1.0.1 (from 2012-03-13)
of OpenSSL (see )
in "C:\Program Files\3CX Phone System\bin\webserver\"
(as part of the included WWW server Abyss, see below)
The current version of OpenSSL is 1.0.1e, see
, it fixes at least 5 CVEs found in
earlier versions downto 1.0.1.
* zlib1.dll version 1.2.2
in "C:\Program Files\3CX Phone System\bin\"
The current version of zlib is 1.2.8, see ,
it fixes at least 2 CVEs found in 1.1.2
| Version 1.2.3 (July 2005) eliminates potential security
| vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of
| those versions should upgrade immediately.
* zlib1.dll version 1.2.3
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of zlib is 1.2.8, see
From there:
| All users are encouraged to upgrade immediately.
* zlib1.dll version 1.2.6
in "C:\Program Files\3CX Phone System\bin\webserver\"
(as part of the included WWW server Abyss, see below)
The current version of zlib is 1.2.8, see
From there:
| All users are encouraged to upgrade immediately.
* libxml2.dll and libxslt.dll version 2.6 of libxml
(see )
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of libxml is 2.9.0, see
, version 2.6 is end-of-life
for some years!
lists 6 CVEs for version 2.6.
* Xerces version 2.5.0 (see )
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current versions are 2.8.0 and 3.1.1, version 2.5.0 is
end-of-life for some years!
lists 1 CVE for version 2.5.0.
* MIT Kerberos 5 version 1.6.3-kfw-3.2.2 (see
)
in "C:\Program Files\3CX Phone System\bin\"
The current version of Kerberos for Windows is 4.01
(see ), it
fixes about 20 CVEs in ealier versions downto 1.6.3-kfw-3.2.2
(see ).
* MIT Kerberos 5 version 1.6.2-kfw-3.2.1
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
(as part of the included PostgreSQL 8.3.7, see below)
The current version of Kerberos for Windows is 4.01
(see ), it
fixes about 20 CVEs in earlier versions downto 1.6.2-kfw-3.2.1
(see ).
* PostgreSQL 8.3.7 (see )
in "C:\Program Files\3CX Phone System\bin\pgsql\bin\"
The current version of PostgreSQL 8.3 is 8.3.23, it fixes about
20 CVEs since 8.3.7 (see )
* Abyss web server 2.8.0.2 X2 (see )
in "C:\Program Files\3CX Phone System\bin\webserver\"
This is the current version (released 2012-05-31), but built with
vulnerable components too (see above), so yet another company that
is unable to keep its software uptodate and protect its customers.
Timeline:
~~~~~~~~~
2013-05-05 vendor informed
2013-05-06 vendor replied:
"3CX phone system is per objective evidence the safest phone
system on the market. If you dont like it, use asterisk."
I second that: dont use software from 3CX! Request your money back.
2013-05-06 report published
Stefan Kanthak