Henry Schein Information for VU#948155

Henry Schein Dentrix G5 uses hard-coded database credentials shared across multiple installations

Status

Affected

Vendor Statement

When initially released to market, the Dentrix G5 application used a hard-coded internal database password. If a user was able to discover that password for his/her own G5 installation through administrator-level network and system privileges, and other exploitative steps, that user would know the internal database password for G5 systems installed at any location. Henry Schein promptly took measures to remediate the situation by releasing security updates, and alerted all affected customers.

It is important to note, however, that the disclosure of the internal database password only posed a vulnerability for practices whose network was unprotected (i.e. practices who lacked a firewall and/or other basic network safeguards).

Beginning with version 15.1.294 (Dentrix G5.1 Hotfix 1, released 14 Feb 2013), each Dentrix database now has an internal database password that is unique to that particular installation and contains additional technical controls to combat other exploitative steps.

Customers should upgrade to Dentrix G5 Productivity Pack 1 and install the latest hotfix. This file can be found at http://www.dentrix.com/support/software-updates/g5.aspx.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.dentrix.com/support/software-updates/g5.aspx

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.