3CX Security Update Version 9 Build 13967

Important security update Version 9.13967

It has come to our attention that many installations of 3CX Phone System are deployed with weak passwords. This can result in hackers guessing the passwords and compromising the system.

This security update has many features that will make your 3CX Phone System Server more secure and protect it from attacks. It is very important that this update is performed asap.

Download the latest security update service pack from within your 3CX Phone System installation (Windows Management console only).
Access the 3CX Management Console WINFORMS interface from Start/All Programs/3CX Phone System/Windows Management Console. Click on 3CX Phone System Updates/3CX Service Packs/updates.

Click on Download Selected button to start the download. The Services will be stopped, files and components will be updated and 3CX Services will be automatically started. The update will be complete and the 3CX management console will show on your screen.

This update will create a strong password for the default 3CX Fax extension and all other Fax Extensions.
Any new extensions created from this point onwards will be generated with a strong random password and voicemail pin number.
In addition, a new function “Re-Generate Password” will allow you to create strong and random passwords for one or a selected group of extensions.

In this diagram we can see that extensions 108, 109 and 110 are marked in RED. This means that either the Password, Voicemail pin or the SIP ID are the same as the extension number. Select on these extensions and click on the ReGenerate Password button at the top.
At this point the following procedure takes place:
a) Strong Password is generated
b) Voicemail Pin is generated
c) Provisioning files are updated
d) Welcome email is sent with new information to those extensions that have email address configured

We strongly recommend upgrading to version 9 as it has strong inbuilt anti hacking measures. For more information see this blog post:
3CX Anti-Hacking. How to secure your 3CX PBX

After you have performed the changes, remember to create a new backup with this version and restore this from this point onwards. The previous backups you have should not be used any more.

Weak Extensions

An extension is considered a weak extension when the password and the voicemail pin number are the same as the extension number.

Extension with a weak password and voicemail pin number

It is important that an extension is not left configured like this. This extension will be marked in bold red in the extensions list and the Password and PIN text boxes will be also in red.
The password should be alphanumeric and at least 6 digits long. This will make it more difficult to guess. With the anti-hacking feature in Version 9, it will also be more difficult to dictionary attack passwords like these.

Another example of a weak extension is when the SIP ID is the same as the Extension number.

A Weak extension because of the SIP ID

SIP ID are also considered a threat so new extensions created in the 3CX Phone System will have a blank SIP ID from this update onwards. If you need Direct SIP Calls to be made, do not enter a SIP ID that is the same as the extension number because you could receive spam VoIP calls. The Extension in this case will also show in red. For existing SIP ID’s it is recommended that if SIP ID’s are not used, they should be deleted from each extension otherwise manually change them to something else.

PSTN Gateways and VoIP Provider accounts

A PSTN gateway is exactly identical as a normal extension so administrators must ensure that the Authentication Password is not left the same as the Virtual Extension number or Authentication ID. The screenshot below shows that a PSTN gateway is about to be created with 70026 as a password which is the same as the authentication ID.

Weak PSTN Gateway configuration

In this case an attacker can start guessing the virtual extension number and can register a phone to this PSTN Gateway. It is highly unlikely (but not impossible) that calls can be initiated because of source identification rules however calls can definitely be diverted to the attacker and if these are answered, the attacker can steal calls coming to this PSTN gateway. It is important that the Authentication Password set for PSTN gateways is secure.

NOTE: PSTN gateways are left with their factory pre-configured username and password. It is very important that this information is changed.

VoIP Provider accounts implement very secure passwords when accounts are provided. However if you think that the account is not secure enough, it is important that you access your account from your provider’s portal and change the credentials.

Additional fixes – Change Log

For more information go to the 3CX Phone System Change Log