3CX Security Alert

Tutorials / 3CX /
  • 3CX Security Alert
  • 3CX Security Alert


    UPDATE: 03/30/2023 11:20AM CST - 3CX has posted an update

    UPDATE: 03/31/2023 4:13AM CST - Chrome blocks latest 3CX MSI Installer Downloads

    UPDATE: 03/31/2023 9:37AM CST - CVE-2023-29059 has been created for this vulnerability

    UPDATE: 03/31/2023 9:44AM CST - 3CX recommends Legacy V16 CTI Client as an alternative to PWA

    UPDATE: 04/01/2023 6:59AM CST - More instruction for removal and mass removal Powershell script

    UPDATE: 04/01/2023 10:46AM CST - Security Incident Update Saturday 1 April 2023

    UPDATE: 04/06/2023 09:16AM CST - New Desktop App Build Number 18.12.425 Released

    UPDATE: 04/11/2023 06:43AM CST - Mandiant's Initial Results


    1. How to check for, and uninstall vulnerable 3CX DesktopApps

    This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.

    You can easily check what Users/Extensions are using the DesktopApp and if they are on an affected version by navigating to the 3CX Management Console > Selecting the Phones Tab > and searching for "DesktopApp"

    Take note that this search only finds connected and running DesktopApps.

    Phone Admin Image

    2. How to uninstall

    Windows:

    • On the affected users computer, open Control Panel or "appwiz.cpl"

    • Select "3CX Desktop App" and "Uninstall".

    49dddcaa-44a8-4bf6-89ee-2d1e203679cc.png

    • Select “Yes” when prompted.

    2912c9c4-f225-46f5-91b7-b73569a8b314.png

    • You should see a progress bar.

    b7a0d84b-d78c-4ae6-a078-9b609ff7074a.png

    For your notes, 3CX Desktop Application files are stored in:

    C:\Users\<name>\AppData\Local\Programs\3CXDesktopApp
    C:\Program Files\3CXDesktopApp\
    

    Mac:

    • Go to “Applications”
    • Tap on “3CX Desktop APP”
    • Right click then “Move to Bin”
    • Ensure that it isn’t also present on Desktop otherwise delete it from there as well.
    • Empty the Bin

    3. Alert

    3CX has issued a security notice that impacts the 3CX desktop app that was shipped with Update 7.

    If your 3CX is hosted with Voxtelesys, we have NOT updated your 3CX Server from update 6 to 7, unless you have turned on Auto-Updates or manually updated yourself.

    At this time, we are recommending all Update 7 users to uninstall the desktop app (if you are running Windows Defender, it may do this automatically for you). Please do not re-install the app until a patched version is released by 3CX. The MAC desktop application will not be rebuilt for the time being as 3CX is focusing on the Windows app as well as the actual security breach.

    You can determine which users are using the 3CX desktop app by navigating to the 3CX Management Console, selecting the phones tab on the left, and searching for "DesktopApp;" take note that this will only show online Desktop App clients.

    In addition, 3CX is recommending that users use the PWA web-client instead of the desktop app at this time:

    “3CX strongly recommends using the PWA client instead. It achieves 99% of the client app’s functionality and is fully web-based. However, take note that the PWA does not have BLF or hotkeys features.”

    As always, you can submit a support ticket through the portal if you have concerns or questions.

    Voxtelesys Portal


    Downloads

    Alternative Legacy V16 CTI Client for Windows

    New (Patched) Mac Electron Desktop App - 18.12.425

    New (Patched) Windows Desktop App - 18.12.425


    Related Content