3CX Security Update Version 9 Build 13967

Important security update Version 9.13967

It has come to our attention that many installations of 3CX Phone System are deployed with weak passwords. This can result in hackers guessing the passwords and compromising the system.

This security update has many features that will make your 3CX Phone System Server more secure and protect it from attacks. It is very important that this update is performed asap.

Download the latest security update service pack from within your 3CX Phone System installation (Windows Management console only).
Access the 3CX Management Console WINFORMS interface from Start/All Programs/3CX Phone System/Windows Management Console. Click on 3CX Phone System Updates/3CX Service Packs/updates.

Click on Download Selected button to start the download. The Services will be stopped, files and components will be updated and 3CX Services will be automatically started. The update will be complete and the 3CX management console will show on your screen.

This update will create a strong password for the default 3CX Fax extension and all other Fax Extensions.
Any new extensions created from this point onwards will be generated with a strong random password and voicemail pin number.
In addition, a new function “Re-Generate Password” will allow you to create strong and random passwords for one or a selected group of extensions.

In this diagram we can see that extensions 108, 109 and 110 are marked in RED. This means that either the Password, Voicemail pin or the SIP ID are the same as the extension number. Select on these extensions and click on the ReGenerate Password button at the top.
At this point the following procedure takes place:
a) Strong Password is generated
b) Voicemail Pin is generated
c) Provisioning files are updated
d) Welcome email is sent with new information to those extensions that have email address configured

We strongly recommend upgrading to version 9 as it has strong inbuilt anti hacking measures. For more information see this blog post:
3CX Anti-Hacking. How to secure your 3CX PBX

After you have performed the changes, remember to create a new backup with this version and restore this from this point onwards. The previous backups you have should not be used any more.

Weak Extensions

An extension is considered a weak extension when the password and the voicemail pin number are the same as the extension number.

Extension with a weak password and voicemail pin number

It is important that an extension is not left configured like this. This extension will be marked in bold red in the extensions list and the Password and PIN text boxes will be also in red.
The password should be alphanumeric and at least 6 digits long. This will make it more difficult to guess. With the anti-hacking feature in Version 9, it will also be more difficult to dictionary attack passwords like these.

Another example of a weak extension is when the SIP ID is the same as the Extension number.

A Weak extension because of the SIP ID

SIP ID are also considered a threat so new extensions created in the 3CX Phone System will have a blank SIP ID from this update onwards. If you need Direct SIP Calls to be made, do not enter a SIP ID that is the same as the extension number because you could receive spam VoIP calls. The Extension in this case will also show in red. For existing SIP ID’s it is recommended that if SIP ID’s are not used, they should be deleted from each extension otherwise manually change them to something else.

PSTN Gateways and VoIP Provider accounts

A PSTN gateway is exactly identical as a normal extension so administrators must ensure that the Authentication Password is not left the same as the Virtual Extension number or Authentication ID. The screenshot below shows that a PSTN gateway is about to be created with 70026 as a password which is the same as the authentication ID.

Weak PSTN Gateway configuration

In this case an attacker can start guessing the virtual extension number and can register a phone to this PSTN Gateway. It is highly unlikely (but not impossible) that calls can be initiated because of source identification rules however calls can definitely be diverted to the attacker and if these are answered, the attacker can steal calls coming to this PSTN gateway. It is important that the Authentication Password set for PSTN gateways is secure.

NOTE: PSTN gateways are left with their factory pre-configured username and password. It is very important that this information is changed.

VoIP Provider accounts implement very secure passwords when accounts are provided. However if you think that the account is not secure enough, it is important that you access your account from your provider’s portal and change the credentials.

Additional fixes – Change Log

For more information go to the 3CX Phone System Change Log

  1. Pingback: 3CX VoIP TK Anlage Blog » 3CX Security Update Version 9 Build 13967

  2. THANK YOU for this update.

    I applaud you for listening to the feedback and getting this out quickly.

    G7eleven.

    September 4, 2010 at 1:27 am
  3. Thanks 3CX
    Fast response to a real problem encountered by a user just a week ago. An organized hacker turned one of our 3CX’s into an onward relay for International calls using the 888 fax extension – so this is a very real fix for a very real problem! I recommend that everybody carries out this upgrade ASAP …

    September 4, 2010 at 2:25 pm
  4. xtreme

    Is it possible to lock extension to predefined IP address? And is it possible to allow connecting of extension only from predefined intereface? I did not find these settings.

    September 4, 2010 at 6:10 pm
  5. @Xtreme – We are thinking of adding this. We will discuss this internally and come up with some mechanism. Although the second part you mentioned can be easily done on the router. Allow sip traffic from Wanted IP Address only and drop sip to any any. This will give an extra added boost to your phone systems especially when you have bridges and tunnel connections between pbx’s.

    September 5, 2010 at 6:33 pm
  6. Quick and easy solution to a potentially devastating scenario. It took me about ten minutes per client to run the update. By using the “phone Interface” we then changed the passwords to a better level of security on the client phones. Great job 3CX!

    September 4, 2010 at 11:37 pm
  7. Logan

    As an immediate quick fix, can I just block off port 5060? An external extension uses 5090 tunnel and apart from a manual hacker using the 3cx client to access, I would think there’s no easy way to hack 5090. Moreover we can probably use VPN first for external extensions. The best is to change the sip passwords completely one by one but I think with about 100 extensions and coordinating with the users it’ll take quite some time.

    By the way, why do we need 5060 open at the firewall anyway? That’s what 3cx recommends from the blogs

    September 5, 2010 at 5:44 am
  8. @ logan
    5060 is needed when you have a voip provider account or when you want remote workers to connect to you remotely. If you dont have the need for the above mentioned voip scenarios, you dont need 5060 open from the outside. If for example you use a PSTN gateway and for remote workers you use the 3CX Tunnel, you dont need to open 5060. Hackers that infiltrate in 3CX Phone Systems manage to do this also because they have 3CX Installed in their labs and therefore know on what ports certain services run on. Therefore it will also be a good idea to change the tunnel port too – example change it to 15090 just so it is not on the default port. You will give the attacker more to do possibly catching him in the process.

    September 5, 2010 at 6:27 pm
  9. BJReplay

    If not using 3CX Voicemail (we are using Exchange), is a voice mail PIN the same as an extension still a risk?

    Dumb question, but how do you know if you’re not using SIP IDs?

    September 5, 2010 at 5:19 pm
  10. Ye it is wiser not to keep them identical. in fact you are already breaking exchange s security policy because by default exchange does not let you do simple vmail pin numbers.

    as for sip id. you might not need it but if in the extension page, other tab, sip id text box. if tjat field is populated, then sip id is registered. simply blank the contents and save.

    September 5, 2010 at 5:59 pm
  11. HR

    Why not ad the possibility of having the choice to enable hardware bases macadresses in conjunction with strong passwords and userid’s? This will also stop the the possibility to log in on the same account fr.o.m. several devices and plages.

    September 7, 2010 at 2:20 am
  12. Daniel Brook

    Also, regarding opening port 5060 on the firewall for those using SIP trunks…make sure you create a firewall policy to only allow port 5060 to communicate with your provider’s sip domain. Use the 3cx tunnel for remote extensions which don’t require a hardphone and a 3cx sip proxy utility for hardphone environments.

    September 7, 2010 at 2:32 am
  13. Nicky

    Leave no stone unturned and also change the tunnel password too.

    September 7, 2010 at 1:23 pm
  14. Pingback: 3CX VoIP TK Anlage Blog » 3CX Version 9 Service Pack 2 (Sicherheitsupdate)