Executive Summary

Summary
Title Open Dental uses blank database password by default
Informations
Name VU#619767 First vendor Publication 2016-09-06
Vendor VU-CERT Last vendor Modification 2016-09-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#619767

Open Dental uses blank database password by default

Original Release date: 06 Sep 2016 | Last revised: 13 Sep 2016

Overview

Open Dental is medical dental records management software. Open Dental version 16.1, and previous versions, installs with a blank root database (MySQL) password by default.. An attacker with network access to an Open Dental MySQL database could read, modify, or delete data.

This Vulnerability Note initially, and incorrectly, stated that Open Dental used hard coded credentials. The Impact section also implied that in its default configuration, the Open Dental database was available over remote networks such as the internet. An Open Dental database would need to be specifically configured to allow remote network access.

Description

Open Dental provided the following statements.

    This vulnerability note by [CERT/CC] that Open Dental hard-codes credentials in its software is factually false. Open Dental feels that it is detrimental to our reputation to state this. In fact, there is indeed a default blank password, but it can be changed, and is not hard-coded. http://www.opendental.com/manual/securitymysql.html .

    We recommend that users change it, each customer receives direction with a link to http://www.opendental.com/manual/computernetworksetup.html see the step linking to http://www.opendental.com/manual/securitymysql.html .

    NOTE: setting a MySQL password does not mean that a bad actor who has access to the data on your server cannot access the data. If I have a copy of your MySQL database, all I have to do is replace the grant tables and I have access to your database. You must encrypt your database to prevent this http://www.opendental.com/manual/encryption.html , and securing your network is always the first step http://www.opendental.com/manual/securityoverview.html .
    Open Dental would like to respond to the revised VU#619767. While it is true that Open Dental does not force clients to use MySQL passwords, it is important to give more context for what would be needed to exploit this. It is not true that an unauthenticated remote attacker can gain access just because an Open Dental user does not have a root password on a database. It would be true if an administrator of the database host network edge router also had added a specific port forwarding rule to forward traffic from a designated port to the database host server on the same port MySQL was set to send traffic from, which is a terrible idea. Users do not need to take action in this case, they need to continue to not intentionally expose Open Dental MySQL databases directly to the internet without our Middle Tier product(http://www.opendental.com/manual/middletier.html). If a bad actor has sufficient access to your network set up a port forwarding rule without you knowing, you are already completely compromised and a MySQL password is not helpful.

Impact

An attacker with network access to an Open Dental MySQL database could read, modify, or delete data. The attacker would most likely need local network access.

Solution

Update MySQL database credentials and enable further protections
Open Dental uses a MySQL database backend. The default blank database credentials can be changed. For instructions see

    http://www.opendental.com/manual/mysql.html

For further information on securing Open Dental, see
    http://www.opendental.com/manual/computernetworksetup.html

    http://www.opendental.com/manual/securitymysql.html

Restrict network access
Use a firewall or similar technology to restrict access to trusted hosts, networks, and services.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Open DentalAffected-09 Sep 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.3AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal7.5E:F/RL:W/RC:C
Environmental1.9CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://www.opendental.com/manual/computernetworksetup.html
  • http://www.opendental.com/manual/securitymysql.html
  • http://www.opendental.com/manual/encryption.html
  • http://www.opendental.com/manual/middletier.html
  • http://www.opendental.com/manual/securityoverview.html
  • http://www.opendental.com/manual/mysql.html
  • http://www.opendental.com/
  • https://cwe.mitre.org/data/definitions/258.html

Credit

Thanks to Justin Shafer for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-6531
  • Date Public:06 Sep 2016
  • Date First Published:06 Sep 2016
  • Date Last Updated:13 Sep 2016
  • Document Revision:54

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/619767

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-255 Credentials Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2016-09-28 21:26:02
  • Multiple Updates
2016-09-24 17:28:12
  • Multiple Updates
2016-09-13 13:21:52
  • Multiple Updates
2016-09-10 09:25:11
  • Multiple Updates
2016-09-08 21:22:07
  • Multiple Updates
2016-09-08 00:22:15
  • Multiple Updates
2016-09-07 00:23:33
  • First insertion