Vulnerability Note VU#619767
Open Dental uses blank database password by default
Open Dental is medical dental records management software. Open Dental version 16.1, and previous versions, installs with a blank root database (MySQL) password by default.. An attacker with network access to an Open Dental MySQL database could read, modify, or delete data.
This Vulnerability Note initially, and incorrectly, stated that Open Dental used hard coded credentials. The Impact section also implied that in its default configuration, the Open Dental database was available over remote networks such as the internet. An Open Dental database would need to be specifically configured to allow remote network access.
Open Dental provided the following statements.
We recommend that users change it, each customer receives direction with a link to http://www.opendental.com/manual/computernetworksetup.html see the step linking to http://www.opendental.com/manual/securitymysql.html .
NOTE: setting a MySQL password does not mean that a bad actor who has access to the data on your server cannot access the data. If I have a copy of your MySQL database, all I have to do is replace the grant tables and I have access to your database. You must encrypt your database to prevent this http://www.opendental.com/manual/encryption.html , and securing your network is always the first step http://www.opendental.com/manual/securityoverview.html .
An attacker with network access to an Open Dental MySQL database could read, modify, or delete data. The attacker would most likely need local network access.
Update MySQL database credentials and enable further protections
For further information on securing Open Dental, see
Restrict network access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Open Dental||Affected||-||09 Sep 2016|
CVSS Metrics (Learn More)
Thanks to Justin Shafer for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-6531
- Date Public: 06 Sep 2016
- Date First Published: 06 Sep 2016
- Date Last Updated: 13 Sep 2016
- Document Revision: 54
If you have feedback, comments, or additional information about this vulnerability, please send us email.