Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title DEXIS Imaging Suite 10 contains hard-coded credentials
Informations
Name VU#282991 First vendor Publication 2016-09-07
Vendor VU-CERT Last vendor Modification 2016-09-07
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#282991

DEXIS Imaging Suite 10 contains hard-coded credentials

Original Release date: 07 Sep 2016 | Last revised: 07 Sep 2016

Overview

DEXIS is a dental x-ray imaging software that manages patient records. DEXIS Imaging Suite 10 contains several hard-coded credentials allowing administrative or root access to the patient database.

Description

CWE-798: Use of Hard-coded Credentials - CVE-2016-6532

DEXIS Imaging Suite 10 contains several hard-coded database credentials allowing administrative or root access to the patient database. Other versions of DEXIS may also be affected.

Impact

A remote, unauthenticated attacker may be able to gain administrative access to the DEXIS patient database.

Solution

Update the database credentials

DEXIS has provided the instructions below for updating the database password. Changing the database credentials will mitigate the issue. Affected users may also contact DEXIS Customer Support for more information or support.

    Changing the DEXIS database password

    This procedure targets installations of DEXIS Imaging Suite (version 10). It will not work for older versions (9 and earlier) or DEXIS 11 and newer.
    The DEXIS Imaging Suite database installation uses a well-known database instance name and password, allowing others to access your database, which contains sensitive patient information. Ideally, these should be changed to increase the security of your database.

    During installation

    During installation of the server, it is recommended that the instance name be changed from the default, “DEXIS_DATA”. Using the default name allows anyone to search for your database with a well-known name. Note that you cannot change the instance name once the database in installed.
    You are unable to specify a different password during the installation process.

    After installation

    After DEXIS is installed, you can change your database password using the following procedure. Note that this procedure will work if you installed a new instance of the database using the supplied installation media.
    On the installation media, browse to the following directory: “D:\Common\Software\ssmse2005\x86”, where D: is the drive letter on which the installation media is mounted.
    Run SQLServer2005_SSMSEE.mis to install SQL Server Management Studio Express on your server. Use the default options in the installation dialogs.
    Start the SQL Server Management Studio (Start → All Programs → Microsoft SQL Server 2005 → SQL Server Management Studio Express).
    On the “Connect to Server” dialog, change the Authentication setting to “SQL Server Authentication”. The Login name is “sa”, and the password is in the user manual.
    It is recommended that you do not use the default (well-known) password, and to use a strong password for your database. There are web-sites which will generate a strong password for you (such as: https://identitysafe.norton.com/password-generator) or will indicate how strong your password is (such as http://www.passwordmeter.com/).
    On the left side panel, select “Security” → “Logins”. Double-click the “sa” user, and enter a new password on the General page. You will need to enter the same password twice to confirm.

    Updating DEXIS to use the new password

    Run DEXIS Imaging Suite (double-click the icon on the desktop). DEXIS will display an error (The following configuration errors were detected). Click “OK”. Click on the setting button ( ). Select the Data panel in preferences.
    Check the “Edit Advanced settings” option. Click “OK” on the displayed warning dialog.
    Enter your new password in the dialog. Press the “Verify” button to test the settings. When successful, select “OK” and restart DEXIS. You are now using the new password.


Apply an update

According to the vendor, DEXIS Eleven does not use hard-coded credentials for accessing the database. Affected customers are encouraged to update to DEXIS Eleven as soon as possible.

You may also consider the following workaround:

Restrict network access

Use a firewall or similar technology to restrict access to trusted hosts, networks, and services.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
DexisAffected-22 Aug 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal8.6E:F/RL:TF/RC:C
Environmental6.4CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.dexis.com/system

Credit

Thanks to Justin Shafer for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-6532
  • Date Public:06 Sep 2016
  • Date First Published:07 Sep 2016
  • Date Last Updated:07 Sep 2016
  • Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/282991

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-798 Use of Hard-coded Credentials (CWE/SANS Top 25)

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-09-28 21:26:02
  • Multiple Updates
2016-09-24 17:28:12
  • Multiple Updates
2016-09-07 17:22:32
  • First insertion