Las plantillas de bases de datos SQL afectadas son MsSQL, MySQL, PostgreSQL.
El 15 de Diciembre informamos a los clientes que desactivaran la integración de la Base de Datos SQL siguiendo el reporte CVE 2023-49954. Este problema – identificado por el investigador de seguridad independiente Theo Stein – se refería a una integración heredada para consultar datos de contacto de clientes directamente desde un servidor de base de datos SQL.
En pro de la divulgación, publicamos hoy esta actualización antes de la corrección de mañana. Siga leyendo para obtener una explicación de los plazos, una descripción técnica del problema y una propuesta de solución.
Descripción Técnica:
Si una de las plantillas de Integración ha sido utilizada (MsSQL, MySQL, PostgreSQL) pueden ser sujetas a ataques de inyección SQL si el servidor 3CX está disponible en Internet y no hay una aplicación de cortafuegos Web frente a la máquina 3CX. En ese caso es posible manipular la consulta SQL original ejecutada contra una base de datos.
Solo se ven afectadas las plantillas de bases de datos SQL mencionadas anteriormente (MsSQL, MySQL, PostgreSQL) y ninguna de las otras plantillas CRM web. Los clientes que utilizan MongoDB o cualquiera de nuestras plantillas web de integración CRM no se ven afectados por esto.
Solución Propuesta
En general, seguimos recomendando enfáticamente utilizar una API web segura y moderna, no consultas SQL directas.
El motor de CRM se ha ampliado para que las plantillas de bases de datos SQL utilicen consultas parametrizadas en las que las entradas del usuario se pasan como parámetros para construir las consultas SQL ejecutadas en la base de datos. Esto es necesario para evitar la inyección SQL.
Ejemplo:
SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE phonemobile LIKE CONCAT(‘%’,@Number,’%’) or phonebusiness LIKE CONCAT(‘%’,@Number,’%’) or faxbusiness LIKE CONCAT(‘%’,@Number,’%’)
De este modo se garantiza que las entradas del usuario se traten como datos y no como parte de la consulta final que se va a ejecutar.
Mañana se proporcionará un arreglo de la siguiente manera:
- 18.0.9.23
- 20.0.0.1494
Si no necesita Bases de Datos SQL continúe con la versión actual. Si realmente necesita habilitarla vaya a Actualizaciones y después de la actualización vuelva a habilitar Bases de Datos SQL. El administrador necesitará actualizar el código de integración para que la integración SQL funcione – todas las consultas deben ser parametrizadas. Esta es una tarea que debe ser realizada por un profesional de bases de datos – y con mucho cuidado. Volvemos a reiterar que es mejor cambiar a una API REST segura y moderna.
Ejemplos
Estos son solo algunos ejemplos. Debe asegurarse de que cada consulta está bien formulada.
| Método antiguo (No Recomendado) | Nuevo método (Solo ejemplos) | |
|---|---|---|
| Búsqueda por Número Declaración SQL: | SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE phonemobile LIKE ‘%[Number]%’ or phonebusiness like ‘%[Number]%’ or faxbusiness LIKE ‘%[Number]%’ | SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE phonemobile LIKE CONCAT(‘%’,@Number,’%’) or phonebusiness LIKE CONCAT(‘%’,@Number,’%’) or faxbusiness LIKE CONCAT(‘%’,@Number,’%’) |
| Búsqueda por Correo Electrónico Declaración SQL: | SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE email = ‘[Email]’ | SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE email = @Email |
| Buscar Contactos Declaración SQL: | SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE phonemobile LIKE ‘%[SearchText]%’ or phonebusiness like ‘%[SearchText]%’ or faxbusiness LIKE ‘%[SearchText]%’ or firstname LIKE ‘%[SearchText]%’ or lastname LIKE ‘%[SearchText]%’ or companyname LIKE ‘%[SearchText]%’ or email LIKE ‘%[SearchText]%’ | SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE phonemobile LIKE CONCAT(‘%’,@SearchText,’%’) or phonebusiness LIKE CONCAT(‘%’,@SearchText,’%’) or faxbusiness LIKE CONCAT(‘%’,@SearchText,’%’) or firstname LIKE CONCAT(‘%’,@SearchText,’%’) or lastname LIKE CONCAT(‘%’,@SearchText,’%’) or companyname LIKE CONCAT(‘%’,@SearchText,’%’) or email LIKE CONCAT(‘%’,@SearchText,’%’) |
| Registro de Llamada Declaración SQL: | INSERT INTO calls (subject, contactnumber, contactname, agentextension, callstarttime, callendtime, callduration, calltype) VALUES(‘3CX PhoneSystem Call’, ‘[Number]’, ‘[Name]’, ‘[Agent]’, ‘[[CallStartTimeUTC].ToString(^^yyyy-MM-ddTHH:mm:ssZ^^)]’, ‘[[CallEndTimeUTC].ToString(^^yyyy-MM-ddTHH:mm:ssZ^^)]’, ‘[Duration]’, ‘[CallType]’); | INSERT INTO calls (subject, contactnumber, contactname, agentextension, callstarttime, callendtime, callduration, calltype) VALUES(‘3CX PhoneSystem Call’, @Number, @Name, @Agent, CONVERT(VARCHAR, @CallStartTimeUTC,127), CONVERT(VARCHAR, @CallEndTimeUTC,127), @Duration, @CallType); |
| Registro de Chat Declaración SQL: | INSERT INTO chats (subject, contactnumber, contactname, email, agentextension, messages, chatstarttime, chatendtime, chatduration) VALUES(‘3CX PhoneSystem Chat Session’, ‘[Number]’, ‘[Name]’, ‘[Email]’, ‘[Agent]’, N'[[ChatMessages].Replace(“\'”,”””).Replace(“\”,””)]’, ‘[[ChatStartTimeUTC].ToString(^^yyyy-MM-ddTHH:mm:ssZ^^)]’, ‘[[ChatEndTimeUTC].ToString(^^yyyy-MM-ddTHH:mm:ssZ^^)]’, ‘[Duration]’); | INSERT INTO chats (subject, contactnumber, contactname, email, agentextension, messages, chatstarttime, chatendtime, chatduration) VALUES(‘3CX PhoneSystem Chat Session’, @Number, @Name, @Email, @Agent, @ChatMessages, CONVERT(VARCHAR, @ChatStartTimeUTC,127), CONVERT(VARCHAR, @ChatEndTimeUTC,127), @Duration); |
| Creación de Contacto desde el Cliente Declaración SQL: | INSERT INTO contacts (firstname, lastname, companyname , email, phonebusiness) VALUES (‘[FirstName]’, ‘[LastName]’, ‘[Company]’, ‘[Email]’, ‘[Number]’);SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE phonemobile LIKE ‘%[Number]%’ or phonebusiness like ‘%[Number]%’ or faxbusiness LIKE ‘%[Number]%’; | INSERT INTO contacts (firstname, lastname, companyname , email, phonebusiness) VALUES (@FirstName, @LastName, @Company, @Email, @Number);SELECT id AS contactid, firstname AS firstname, lastname AS lastname, companyname AS companyname, email AS email, phonemobile AS phonemobile, phonemobile2 AS phonemobile2, phonehome AS phonehome, phonehome2 AS phonehome2, phonebusiness AS phonebusiness, phonebusiness2 AS phonebusiness2, phoneother AS phoneother, faxbusiness AS faxbusiness, faxhome AS faxhome,pager AS pager, photourl AS photourl FROM contacts WHERE phonemobile LIKE CONCAT(‘%’,@Number,’%’) or phonebusiness LIKE CONCAT(‘%’,@Number,’%’) or faxbusiness LIKE CONCAT(‘%’,@Number,’%’); |
Foro Dedicado a la Seguridad para Respuestas 24/7
La cronología proporcionada en el reporte CVE es correcta. La vulnerabilidad reportada al equipo de licencias no fue reconocida como un problema de seguridad, para lo cual tenemos un foro de seguridad dedicado. Para futuras referencias, pedimos que todos los informes de este tipo se realicen en el foro, ya que es supervisado activamente 24/7 por expertos en productos y seguridad. Siguiendo la recomendación del Sr. Stein, también agregaremos una Política de Divulgación Responsable en el pie de página de nuestro sitio web, junto con una dirección de contacto para encauzar estas alertas de manera más eficiente.
Síganos para Estar al Día
Todos los clientes afectados ya han sido informados directamente por correo. Nos gustaría recordar a todos los lectores nuestro Foro de Alertas de Seguridad. Invitamos a todas las partes interesadas a que señalen los problemas allí.
Central Telefónica 
