3CX Security Alert
3CX Security Alert
UPDATE: 03/30/2023 11:20AM CST - 3CX has posted an update
UPDATE: 03/31/2023 4:13AM CST - Chrome blocks latest 3CX MSI Installer Downloads
UPDATE: 03/31/2023 9:37AM CST - CVE-2023-29059 has been created for this vulnerability
UPDATE: 03/31/2023 9:44AM CST - 3CX recommends Legacy V16 CTI Client as an alternative to PWA
UPDATE: 04/01/2023 6:59AM CST - More instruction for removal and mass removal Powershell script
UPDATE: 04/01/2023 10:46AM CST - Security Incident Update Saturday 1 April 2023
UPDATE: 04/06/2023 09:16AM CST - New Desktop App Build Number 18.12.425 Released
UPDATE: 04/11/2023 06:43AM CST - Mandiant's Initial Results
1. How to check for, and uninstall vulnerable 3CX DesktopApps
This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.
You can easily check what Users/Extensions are using the DesktopApp and if they are on an affected version by navigating to the 3CX Management Console > Selecting the Phones Tab > and searching for "DesktopApp"
Take note that this search only finds connected and running DesktopApps.
2. How to uninstall
Windows:
-
On the affected users computer, open Control Panel or "appwiz.cpl"
-
Select "3CX Desktop App" and "Uninstall".
- Select “Yes” when prompted.
- You should see a progress bar.
For your notes, 3CX Desktop Application files are stored in:
C:\Users\<name>\AppData\Local\Programs\3CXDesktopApp
C:\Program Files\3CXDesktopApp\
Mac:
- Go to “Applications”
- Tap on “3CX Desktop APP”
- Right click then “Move to Bin”
- Ensure that it isn’t also present on Desktop otherwise delete it from there as well.
- Empty the Bin
3. Alert
3CX has issued a security notice that impacts the 3CX desktop app that was shipped with Update 7.
If your 3CX is hosted with Voxtelesys, we have NOT updated your 3CX Server from update 6 to 7, unless you have turned on Auto-Updates or manually updated yourself.
At this time, we are recommending all Update 7 users to uninstall the desktop app (if you are running Windows Defender, it may do this automatically for you). Please do not re-install the app until a patched version is released by 3CX. The MAC desktop application will not be rebuilt for the time being as 3CX is focusing on the Windows app as well as the actual security breach.
You can determine which users are using the 3CX desktop app by navigating to the 3CX Management Console, selecting the phones tab on the left, and searching for "DesktopApp;" take note that this will only show online Desktop App clients.
In addition, 3CX is recommending that users use the PWA web-client instead of the desktop app at this time:
“3CX strongly recommends using the PWA client instead. It achieves 99% of the client app’s functionality and is fully web-based. However, take note that the PWA does not have BLF or hotkeys features.”
As always, you can submit a support ticket through the portal if you have concerns or questions.
Downloads
Alternative Legacy V16 CTI Client for Windows
New (Patched) Mac Electron Desktop App - 18.12.425
New (Patched) Windows Desktop App - 18.12.425