search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Patterson Dental Eaglesoft uses a hard-coded database password across installations

Vulnerability Note VU#344432

Original Release Date: 2016-03-30 | Last Revised: 2016-03-30


Patterson Dental Eaglesoft is a dental records software. Eaglesoft uses a hard-coded database password that is shared across all installations.


CWE-798: Use of Hard-coded Credentials - CVE-2016-2343

According to the researcher, Eaglesoft uses hard-coded credentials to access a database back-end. The credentials are the same across installations of Eaglesoft. Sensitive patient information is contained in Eaglesoft databases. An administrator is unable to change these credentials without breaking access to the back-end database.

The researcher has published a blog post with more information.


An attacker with knowledge of the hard-coded credentials and with network access to the database may be able to obtain sensitive patient information.


The CERT/CC is currently unaware of a full solution to this problem.

Offices deploying Eaglesoft should consider the following workarounds and mitigations:

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from using the hard-coded credentials from a blocked network location.

Do not allow the Eaglesoft database to be accessed by unauthorized users on an insecure wireless network. If the Eaglesoft database is accessible from an insecure wireless network, a remote attacker may be able to gain access using the hard-coded credentials. Wireless access points should be configured to use WPA2 encryption and disable the WiFi Protected Setup (WPS) PIN. Encryption standards such as Wired Equivalent Privacy (WEP) can be easily cracked and should not be relied on to secure wireless networks.

Vendor Information


Patterson Dental Affected

Notified:  February 19, 2016 Updated: March 30, 2016



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.5 E:F/RL:U/RC:C
Environmental 2.4 CDP:ND/TD:L/CR:H/IR:H/AR:ND



Thanks to Justin Shafer for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-2343
Date Public: 2016-02-15
Date First Published: 2016-03-30
Date Last Updated: 2016-03-30 15:00 UTC
Document Revision: 43

Sponsored by CISA.