Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Security risk?

Discussion in 'Ideas' started by PaulD, Jul 26, 2016.

Security risk? 4.9 5 34votes
4.9/5, 34 votes

  1. PaulD

    Joined:
    Jul 4, 2010
    Messages:
    90
    Likes Received:
    11
    The config files which are attached to the Welcome Emails are XML files in plain English. Consequently, the Auth Password, VMail PIN and the Tunnel Password are exposed for all to see - insecure no matter how complex we make them. The apparent risks might be reduced by:-

    1. Checkbox to include/exclude attachment of config file to Welcome Email - not all users need it
    2. Obfuscate passwords within the config file
    3. Possibly timelimit config files in some way
    4. Is VM Pin really needed within the config file? Surley that should be held server side

    Perhaps there is already a way to encrypt these config files - am I missing something?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. boomschtick

    Joined:
    Sep 11, 2012
    Messages:
    51
    Likes Received:
    8
    I have wondered this myself. I think this thread deserves a bump despite its age.
     
  3. cubewerk

    Joined:
    Sep 1, 2017
    Messages:
    9
    Likes Received:
    3
    +1 - very important.
     
    B.Fluehmann likes this.
  4. hwcltjn

    Joined:
    Aug 16, 2017
    Messages:
    26
    Likes Received:
    1
    I concur +1
     
  5. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    180
    Likes Received:
    77
    An option to have the Welcome email only send a link, which expires in n hours, might work. The link, when opened, would need to then generate the user specific information and generate the XML file for download.
     
    B.Fluehmann likes this.
  6. boomschtick

    Joined:
    Sep 11, 2012
    Messages:
    51
    Likes Received:
    8
    So, does 3cx not consider sending out <AuthPass></AuthPass> and <TunnelPass></TunnelPass> in plain text not a serious security concern?

    The fact that we have not received any input from 3cx support makes it seem that way.

    If any of those config files lands in the wrong hands, it could be very bad indeed.
     
    exevi likes this.
  7. TechJimF

    Joined:
    May 11, 2017
    Messages:
    23
    Likes Received:
    3
    This is huge security hole. We currently are evaluating 3CX for our call center and regardless if we can get the features needed, this is a deal breaker.
     
    exevi likes this.
  8. boomschtick

    Joined:
    Sep 11, 2012
    Messages:
    51
    Likes Received:
    8
    Especially since the tunnel port has to be open for all IP's in order for it to be useful for mobile devices. I have everything pretty well firewalled off except for that and 80/443.
     
    exevi likes this.
  9. jasonross

    Joined:
    Jun 17, 2015
    Messages:
    7
    Likes Received:
    0
    +1, pretty rudimentary security feature to have a hashed password value, rather than a plain text password.
     
  10. narkumas

    narkumas New Member

    Joined:
    Nov 28, 2016
    Messages:
    227
    Likes Received:
    29
  11. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,967
    Likes Received:
    269
    Smartphones clients will now be provisioned using QR codes....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    wuyu likes this.
  12. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    447
    Likes Received:
    20
    We can expand that idea by creating unique installer for each Mac user. In this case there is no more need that users download dmg from 3CX. Instead, with provided unique link they can download zip installer with included prov file. It is important to note that 3CXPhone.app should remain signed and not cause any problems...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    447
    Likes Received:
    20
    Encouraged by another topic let's continue. Thanks to open source of non-VoIP project we can slightly modify it to something like this:
    Code:
    -(NSArray *) findConfigToInstallInPath: (NSString *) thePath
    {
        NSMutableArray * arrayToReturn = nil;
        NSString * file;
        BOOL isDir;
        
        NSString * folder = [thePath stringByAppendingPathComponent: @"auto-install"];
        NSDirectoryEnumerator * dirEnum = [gFileMgr enumeratorAtPath: folder];
        while (  (file = [dirEnum nextObject])  ) {
            [dirEnum skipDescendents];
            if (   [gFileMgr fileExistsAtPath: [folder stringByAppendingPathComponent: file] isDirectory: &isDir]
                && isDir
                && [[file pathExtension] isEqualToString: @"3cxconfig"]  ) {
                if (  arrayToReturn == nil  ) {
                    arrayToReturn = [NSMutableArray arrayWithCapacity:10];
                }
                [arrayToReturn addObject: [folder stringByAppendingPathComponent: file]];
            }
        }
        
        folder = [thePath stringByAppendingPathComponent: @".auto-install"];
        dirEnum = [gFileMgr enumeratorAtPath: folder];
        while (  (file = [dirEnum nextObject])  ) {
            [dirEnum skipDescendents];
            if (  [[file pathExtension] isEqualToString: @"3cxconfig"]  ) {
                if (  arrayToReturn == nil  ) {
                    arrayToReturn = [NSMutableArray arrayWithCapacity:10];
                }
                [arrayToReturn addObject: [folder stringByAppendingPathComponent: file]];
            }
        }
        
        return [[arrayToReturn copy] autorelease];
    }
    Phone system or more specifically configuration manager should place prov file in .auto-install folder and create zip which user requested:
    3CXPhone.app
    .auto-install
    .background

    User will need to double-click the .zip file to expand it and again 3CXPhone.app Voilà!

    Admin should be able to decide what download links Welcome mail will contain. For Mac client they can select dmg or zip which will be downloaded from PBX.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. media2

    Joined:
    Oct 16, 2014
    Messages:
    5
    Likes Received:
    1
    Hi

    I'd like to use windows client for remote extensions in a smart-work environnement.
    but the configuration in plain text is a security risk.

    +1

    Simone
     
  15. BrenttG

    BrenttG New Member

    Joined:
    Nov 17, 2017
    Messages:
    112
    Likes Received:
    30
    another option would be to use steganography, perhaps encode the xml file with base64 using a custom alphabet and some extra "magic" so standard base64 decoding fails, and build into the app the proper decoder. Ive seen a lot of companies do this.

    By Magic, i of course mean, modifiers like block inversion, character flipping, or other methods to further obfuscate decoding. I fooled a cryptography expert using such methods in a proof of concept, he never figured out that my test string was "you will never figure this out"

    Sending a link instead in the email is pointless, even if its over TLS, because if the email itself has been intercepted, so has the link. So to make a link viable security wise, there would need to be some additional verification method in place after clicking the link, such as verifying your mobile number, or a pass phrase, etc...

    A simpler method might even be, have the link in the email use the local fqdn, or ip of the 3CX server, so that the link does not work if the device/user is outside the office, thus requiring the link be opened while they are on premise with the phone server, or at least on-a-premise where there is a site-to-site vpn to the phone server.

    All depends on how crazy you want to get with your security policies.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...