Vulnerability Note VU#619767

Open Dental uses blank database password by default

Original Release date: 06 Sep 2016 | Last revised: 13 Sep 2016

Overview

Open Dental is medical dental records management software. Open Dental version 16.1, and previous versions, installs with a blank root database (MySQL) password by default.. An attacker with network access to an Open Dental MySQL database could read, modify, or delete data.

This Vulnerability Note initially, and incorrectly, stated that Open Dental used hard coded credentials. The Impact section also implied that in its default configuration, the Open Dental database was available over remote networks such as the internet. An Open Dental database would need to be specifically configured to allow remote network access.

Description

Open Dental provided the following statements.

    Open Dental would like to respond to the revised VU#619767. While it is true that Open Dental does not force clients to use MySQL passwords, it is important to give more context for what would be needed to exploit this. It is not true that an unauthenticated remote attacker can gain access just because an Open Dental user does not have a root password on a database. It would be true if an administrator of the database host network edge router also had added a specific port forwarding rule to forward traffic from a designated port to the database host server on the same port MySQL was set to send traffic from, which is a terrible idea. Users do not need to take action in this case, they need to continue to not intentionally expose Open Dental MySQL databases directly to the internet without our Middle Tier product(http://www.opendental.com/manual/middletier.html). If a bad actor has sufficient access to your network set up a port forwarding rule without you knowing, you are already completely compromised and a MySQL password is not helpful.

Impact

An attacker with network access to an Open Dental MySQL database could read, modify, or delete data. The attacker would most likely need local network access.

Solution

Update MySQL database credentials and enable further protections
Open Dental uses a MySQL database backend. The default blank database credentials can be changed. For instructions see


For further information on securing Open Dental, see

Restrict network access
Use a firewall or similar technology to restrict access to trusted hosts, networks, and services.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Open DentalAffected-09 Sep 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.5 E:F/RL:W/RC:C
Environmental 1.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Justin Shafer for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs: CVE-2016-6531
  • Date Public: 06 Sep 2016
  • Date First Published: 06 Sep 2016
  • Date Last Updated: 13 Sep 2016
  • Document Revision: 54

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.