CERTVU:948155Henry Schein Dentrix G5 uses hard-coded database credentials shared across multiple installations
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
65.7%
Overview
Henry Schein Dentrix G5, a dental practice management software suite, uses hard-coded database access credentials that are shared across multiple installation sites. An attacker who is able to obtain the credentials for one site may be able to gain access to other sites using the same credentials.
Description
Dentrix G5 has uses hard-coded credentials (CWE-798) to access a database back-end. The credentials are the same across installations of Dentrix G5. Sensitive patient information is contained in Dentrix G5 databases. An administrator is unable to change these credentials without breaking access to the back-end database. Henry Schein has provided a vendor statement with additional details about this vulnerability.
Impact
An attacker who is able to obtain the database credentials from one site can potentially access databases on other sites sharing the same credentials. The attacker may need access to the local network or a system with Dentrix G5 installed in order to obtain the credentials, and the attacker would need network access to the database in order to obtain sensitive patient information.
Solution
Apply an Update
Dentrix G5 version 15.1.294 (Dentrix G5.1 Hotfix 1, released 14 Feb 2013) addresses this vulnerability. This update adds a feature to create a unique database back-end password for each Dentrix G5 installation. The update also makes it more difficult to obtain the password from a Dentrix G5 system or the network. Contact Henry Schein customer service for additional information.
Restrict Network Access
As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from using the hard-coded credentials from a blocked network location.
Do not allow the Dentrix G5 database to be accessed by unauthorized users on an insecure wireless network. If the Dentrix G5 database is accessible from an insecure wireless network, a remote attacker may be able to gain access using the hard-coded credentials. Wireless access points should be configured to use WPA2 encryption and disable the WiFi Protected Setup (WPS) PIN. Encryption standards such as Wired Equivalent Privacy (WEP) can be easily cracked and should not be relied on to secure wireless networks.
Vendor Information
948155
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Henry Schein __ Affected
Notified: October 15, 2012 Updated: April 28, 2013
Status
Affected
Vendor Statement
When initially released to market, the Dentrix G5 application used a hard-coded internal database password. If a user was able to discover that password for his/her own G5 installation through administrator-level network and system privileges, and other exploitative steps, that user would know the internal database password for G5 systems installed at any location. Henry Schein promptly took measures to remediate the situation by releasing security updates, and alerted all affected customers.
It is important to note, however, that the disclosure of the internal database password only posed a vulnerability for practices whose network was unprotected (i.e. practices who lacked a firewall and/or other basic network safeguards).
Beginning with version 15.1.294 (Dentrix G5.1 Hotfix 1, released 14 Feb 2013), each Dentrix database now has an internal database password that is unique to that particular installation and contains additional technical controls to combat other exploitative steps.
Customers should upgrade to Dentrix G5 Productivity Pack 1 and install the latest hotfix. This file can be found at <http://www.dentrix.com/support/software-updates/g5.aspx>.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.9 | AV:A/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 6.9 | E:ND/RL:OF/RC:C |
| Environmental | 2.0 | CDP:LM/TD:L/CR:ND/IR:ND/AR:ND |
References
- <https://www.ftc.gov/news-events/blogs/business-blog/2016/01/ftc-takes-toothless-encryption-claims-dental-practice>
- <http://wnep.com/2013/12/09/stolen-data-on-thousands-of-williamsport-area-dental-patients/>
- <http://www.dentrix.com/support/software-updates/g5.aspx>
- <http://www.dentrix.com/products/dentrix/g5/>
- <http://cwe.mitre.org/data/definitions/798.html>
- <http://blog.osvdb.org/tag/henry-schein-practice-solutions/>
Acknowledgements
Thanks to Justin Shafer for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2012-4952 |
|---|---|
| Date Public: | 2012-11-22 Date First Published: |
References
blog.osvdb.org/tag/henry-schein-practice-solutions/
cwe.mitre.org/data/definitions/798.html
wnep.com/2013/12/09/stolen-data-on-thousands-of-williamsport-area-dental-patients/
www.dentrix.com/products/dentrix/g5/
www.dentrix.com/support/software-updates/g5.aspx
www.ftc.gov/news-events/blogs/business-blog/2016/01/ftc-takes-toothless-encryption-claims-dental-practice
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
65.7%