SECURITY Issue - 3CX Windows Client in CTI Mode connected to Yealink T46G

Discussion in 'Windows' started by Julian Krautwald, Dec 8, 2016.

Thread Status:
Not open for further replies.
  1. Julian Krautwald

    Joined:
    Dec 8, 2016
    Messages:
    4
    Likes Received:
    0
    Hi everybody,
    maybe I am just missing some functionality or the 3CX Windows client is only able to send plain text messages to a connected Yealink T46G phone.
    Here is the issue:
    In our local LAN we deployed several Yealink T46G phones and saved the admin credentials for accessing the phone web UI in the 3CX system in the extension preferences.
    Now the interaction between a 3CX Windows client (in CTI mode) with the phone works perfectly fine.
    The only thing is: The 3CX client connects to the web UI of the phone via plain HTTP instead of HTTPs.
    This way the admin credentials of the phone (sent via HTTP Basic Authentication) are disclosed to everybody in the local LAN.
    As I cannot find an option to enable the client to only connect to the secure web UI via HTTPs, I am stuck here.
    Can you please verify this issue and get back to me with a solution?
    Best regards,
    Julian
     
  2. andreasc

    Joined:
    May 19, 2014
    Messages:
    35
    Likes Received:
    3
    Hi Julian ,

    CTI can work only local so using http local is not a security issue .
    anw you can force CTI to work only for https but didn't test it so if you have any issues we can not help you.

    Go to %programdata%\3CX\Instance1\Data\Http\Interface\MyPhone
    make a copy of the cti_template.xml so if something happen you have a backup,
    edit cti_template.xml and replace the http to https and save.
    Restart 3CXPhoneSystemMC01 service and reprovision the 3CX Phone Client.
     
  3. Julian Krautwald

    Joined:
    Dec 8, 2016
    Messages:
    4
    Likes Received:
    0
    Hi Andreas,
    just because this issue cannot be exploited via the Internet but only in the local network of the office, does not mean that it isn't a security issue.
    E.g. you have a low-privileged employee (maybe a trainee) who wants to harm the company or another employee of the company.
    He can do this easily by intercepting the network traffic and gathering credentials of the IP phones of other employees.
    With these credentials he is now able to login to the admin panel of the phones and reconfigure/misuse it the way he likes.
    Thanks for your support anyway.
    I will try to implement the fix you proposed.
    Best regards,
    Julian
     
  4. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Hi Julian,

    traffic is addressed from host A to host B in local LAN.
    Could you please describe topology of the LAN where host C(low-privileged employee) will be able to see (capture) traffic between A and B?

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Julian Krautwald

    Joined:
    Dec 8, 2016
    Messages:
    4
    Likes Received:
    0
    Hi Stepan,
    the key to rerouting the traffic meant for one host to another in the LAN is called ARP spoofing (https://en.wikipedia.org/wiki/ARP_spoofing).
    It is a commonly known attack-vector which works seamlessly as it is based on a design-flaw in the address resolution protocol.
    Best regards,
    Julian
     
  6. andreasc

    Joined:
    May 19, 2014
    Messages:
    35
    Likes Received:
    3
    Hi Julian,

    I can accept ARP spoofing or DHCP spoofing in a public LAN that you do not control but i can't accept that anyone that has wire or wireless access to the network can perform spoofing attack on my or company's network , it means that your local network is not secure enough.
    If the network is small, you can use static IP addresses and static ARP tables or DHCP snooping .
    Also not all phones support https.
     
Thread Status:
Not open for further replies.