Open Dental contains hard-coded credentials
Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016

Overview
Open Dental is a medical dental records management software. Open Dental contains hard-coded default credentials allowing administrative or root access to the patient database.

Description

CWE-798: Use of Hard-coded Credentials – CVE-2016-6531
Open Dental contains a hard-coded default database credential.

An unauthenticated remote attacker with knowledge of the credentials may be able to obtain administrator access to the patient database.

Impact

A remote unauthenticated attacker with knowledge of the credential may be able to gain administrative access to the patient database.

Solution

Update MySQL database credentialsOpenDental makes use of a MySQL database backend.

The MySQL database credentials may be updated to prevent usage of the default credential.

For instructions on changing the password, please see http://www.opendental.com/manual/mysql.html.You may also consider the following workaround:

Restrict network accessUse a firewall or similar technology to restrict access to trusted hosts, networks, and services.

Vendor Information (Learn More)
Vendor
Status
Date Notified
Date Updated
Open Dental
Affected

16 Aug 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group
Score
Vector
Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal
9.5
E:F/RL:ND/RC:C
Environmental
7.1
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit
Thanks to Justin Shafer for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information
CVE IDs: CVE-2016-6531
Date Public: 06 Sep 2016
Date First Published: 06 Sep 2016
Date Last Updated: 06 Sep 2016
Document Revision: 16

Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply