Posted on March 30th, 2023 by Nick Galea, CEO, CTO & Founder, 3CX
Early this morning we informed our partners and customers that our electron windows app shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a severe security issue. We since learned that Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 have also been affected. Fortunately, anti-virus vendors flagged the executable 3CXDesktopApp.exe and blocked it.
3CX Appoints Leading Incident & Forensics Company Mandiant In response to this, 3CX has appointed Mandiant a renowned American cybersecurity firm and subsidiary of Google - and the market leader in threat intelligence. With their help we will be able to review this incident in full. Whilst their investigation is underway, we ask you to follow the instructions below immediately.
Ensure Your Server Has the Latest Update Installed Customers on 3CX Hosted / StartUP - No action needed 3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically. Servers will be restarted and the new Electron App MSI/DMG will be installed on the server. We recommend that you DO NOT install or deploy the Electron App. This update is only to ensure that the trojan has been removed from the 3CX Server where Desktop Apps are stored and in case any users decide to deploy the app anyway. During the restart there might be disruption for a few minutes while we restart your server.
Self-Hosted and On-Premise - Install update For Self-Hosted and On-Premise follow these steps:
Launch Management Console Go to Updates Download Mac Desktop App - 18.12.422 Download Windows Desktop App - 18.12.422 On the Clients / Desktops Uninstall the Electron App Follow these steps to uninstall the Electron App for Mac or Windows
For Windows:
Start Type “Control Panel”, Enter Select “Programs and Features” Find 3CX Desktop App, select and press “Uninstall”. On Mac:
Go to “Applications” Tap on “3CX Desktop APP” Right click then “Move to Bin” Ensure that it isn’t also present on Desktop otherwise delete it from there as well. Empty the Bin Use PWA instead of the Electron APP - Here's how Install the Web Client as an app (PWA)
Login to the Web Client You have two options: Click on the OS icon below the user avatar. A new dialog will open, select “Web App (PWA)” and then hit the “Install” button. OR click on the “Install button” (A screen with an arrow) located in the address bar and confirm. See the icon circled red in the screenshot. To set the app to auto start: On Google Chrome: Open your Chrome browser and type ‘chrome://apps’ into the address bar. Right click on “3CX” and enable “Start app when you sign in”. On Microsoft Edge: On Edge, select to Auto-start in the dialog that appears after installation. PWA only works on Google Chrome and Microsoft Edge - not on Safari or Firefox
You can read more in the Web Client user manual.
Avoid Using the Electron App Unless Absolutely Essential In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We strongly recommend that you avoid using the Electron App unless there is absolutely no alternative. The Electron App update that we are releasing today is considered to be secure but there is no guarantee given that we only had 24 hours to make the necessary adjustments.
More Information to Come - Transparency Assured We are still working to decipher the full extent of the attack and we promise full transparency as soon as we are clear on everything. We don’t want to jump the gun and make wrong assumptions. Please follow our forum and blog as well as our LinkedIn, Twitter, Facebook and Instagram pages as we’ll continue to update our customers and partners regularly.
Our Continued and Very Sincere Apologies We continue to offer our very sincere apologies to all our partners and customers worldwide. The entire 3CX team continues to work around the clock.
Mar 30, 2023 - 10:41 PDT
Update - Update 30 March 2023 - 8:48 AM
3CX have released Desktop App version 18.12.422 to patch the security issue, please update the desktop app to this version as soon as possible
Mar 30, 2023 - 08:49 PDT
Monitoring - Dear Client,
3CX Security Notice - 30 March 2023
What is the issue, and what does it affect?
We regret to inform our customers that the 3CX Electron Windows App shipped in Update 7, with version numbers 18.12.407 & 18.12.416, includes a security issue. Anti Virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it. Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also affected.
The issue appears to be one of the bundled libraries that were compiled into the Windows Electron App via GIT. 3CX are still researching the matter to be able to provide a more in depth response later today.
Here’s some information on what has been done so far.
What has been done to mitigate the impact by 3CX?
Domains Have Been Taken Down
The domains contacted by this compromised library have already been reported, with the majority taken down overnight. A github repository which listed them has also been shut down, effectively rendering it harmless.
It is worth mentioning - that this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.
New Windows App in Progress
Currently, 3CX are working on a new Windows App that does not have the issue. They have also decided to issue a new certificate for this app. This will delay things by at least 24 hours so please bear with them whilst this happens.
What can you do until the new desktop App is ready for release?
Use the PWA App Instead!
We strongly suggest that you use the 3CX PWA app instead. The PWA app is completely web based and does 95% of what the electron app does. The advantage is that it does not require any installation or updating and chrome web security is applied automatically.
The reason 3CX has two apps is that when the 3CX Electron App was released, the PWA technology was not available yet. Now it's mature and working really well. More information on how to install it here. One deficiency at this time is the lack of the BLF (Busy Lamp Field) Option in the PWA dial pad.