3CX advised customers that the SQL database integration has been disabled due to CVE-2023-49954. Businesses that use MongoDB or any of their web-based customer relationship management (CRM) integration templates are not affected. Read this Cybersecurity Threat Advisory to gain details of the vulnerability and recommendations to prevent exploitation.
What is the threat?
This vulnerability affects integration templates for MsSQL, MySQL, or PostgreSQL, which are susceptible to SQL injection attacks if the 3CX server is accessible via the internet and no Web application firewall is installed in front of the 3CX machine. It manipulates the original SQL query executed against a database and allows attackers to interfere with the queries, leading to tempering of sensitive data, and in severe cases, complete database takeover.
Why is it noteworthy?
The threat is notable due to the active exploitation of SQL injection attacks, indicating a higher risk for organizations who are using old-style integration designed for on-premise firewall protected networks. The requirement for 3CX to deliver fixes for unsupported systems emphasizes the severity of the vulnerability and the potential impact on security if not handled swiftly. The incident focuses attention on the need to keep security systems up to date to reduce the likelihood of successful cyber-attacks.
What is the exposure or risk?
3CX advised clients on December 17, 2023 to disable SQL database connectors due to the CVE-2023-49954 vulnerability. Although the security alert issued does not include any specific details about the vulnerability, it urges clients to take precautions by disabling their MongoDB, MsSQL, MySQL, and PostgreSQL database interfaces.
3CX aims to release a patch (220.127.116.11, 18.104.22.1684) to address the security issue. Customers are encouraged to disable CRM integration until this patch is issued by adjusting the CRM solution setting to ‘None.’
What are the recommendations?
- Leverage a contemporary secure web API rather than direct SQL queries.
- If SQL Database is not required, it is safe to use the current release builds. If databases are required, go to Updates, and re-enable SQL Databases following the update. For SQL integration to work, the administrator must edit the integration code – all queries must be parameterized. This is a task that should be performed by a database professional – and with extreme caution.
- Implement an innovative secure REST API protocol.