CVE-2022-28005 The 3CX Phone System Management Console is vulnerable to an unauthenticated attacker who can access arbitrary files on the server. This could lead to credential disclosure.

This issue is resolved in version 18 Update 3 FINAL and later. To avoid this issue, we recommend upgrading to the latest version. End-users must upgrade their systems to the latest patch level. System administrators must upgrade their servers to the latest patch level. There are two workarounds for this issue. The first is to ensure that all users with access to the server's file system are also members of the “root” group. For more information on how to do this, please see the Knowledge Base article here: https://support.3CX.com/hc/en-us/articles/360085677-How-to-allow-users-to-access-the-file-system-via-their-accounts The second workaround is to create ACLs on the file system to disable inheritance. For more information, see the Knowledge Base article here: https://support.3CX.com/hc/en-us/articles/360085677-How-to-disable-inheritance-on-the-file-system

CVE-2022-28030

This issue is resolved in version 18 Update 3 FINAL and later. To avoid this issue, we recommend upgrading to the latest version. End-users must upgrade their systems to the latest patch level. System administrators must upgrade their servers to the latest patch level. There are two workarounds for this issue. The first workaround is to ensure that all users with access to the server's file system are also members of the “root” group. For more information on how to do this, please see the Knowledge Base article here: https://support.3CX.com/hc/en-us/articles/360085677-How-to-allow-users-to-access-the-file-system-via-their-accounts The second workaround is to create ACLs on the file system to disable inheritance. For more information, see the Knowledge Base article here: https://support.3CX.com/hc/en

2

Workarounds to Avoid this Issue
This issue has been resolved in the latest patch. To avoid this issue, we recommend upgrading to the latest version and ensuring that all users with access to the server's file system are also members of the "root" group. There are two workarounds for this issue. The first is to ensure that all users with access to the server's file system are also members of the "root" group. For more information on how to do this, please see the Knowledge Base article here: https://support.3CX.com/hc/en-us/articles/360085677-How-to-allow-users-to-access-the-file-system-via-their-accounts The second workaround is to create ACLs on the file system so inheritance is disabled for these folders (this will require creating a new folder). For more information, see the Knowledge Base article here: https://support.3CX.com/hc/en-us/articles/360085677-How-to-disable-inheritance

CVE-2023-28006

This issue is resolved in version 18 Update 3 FINAL and later. To avoid this issue, we recommend upgrading to the latest version. End-users must upgrade their systems to the latest patch level. System administrators must upgrade their servers to the latest patch level. There are two workarounds for this issue. The first is to ensure that all users with access to the server's file system are also members of the “root” group. For more information on how to do this, please see the Knowledge Base article here: https://support.3CX.com/hc/en-us/articles/360085677-How-to-allow-users-to-access-the-file-system-via-their-accounts The second workaround is to create ACLs on the file system to disable inheritance. For more information, see the Knowledge Base article here: https://support.3CX.com/hc/en-us/articles/360085677-How-to-disable-inheritance

Timeline

Published on: 05/06/2022 15:15:00 UTC
Last modified on: 05/18/2022 14:06:00 UTC

References

• https://www.3cx.com/blog/releases/v18-security-hotfix/
• https://www.3cx.com/blog/change-log/phone-system-change-log/
• https://www.3cx.com/blog/releases/v18-update-3-final/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28005