Updated:  September 09, 2016

Statement Date:   September 07, 2016

Status

Affected

Vendor Statement

This vulnerability note by [CERT/CC] that Open Dental hard-codes credentials in its software is factually false. Open Dental feels that it is detrimental to our reputation to state this. In fact, there is indeed a default blank password, but it can be changed, and is not hard-coded. http://www.opendental.com/manual/securitymysql.html . We recommend that users change it, each customer receives direction with a link to http://www.opendental.com/manual/computernetworksetup.html see the step linking to http://www.opendental.com/manual/securitymysql.html . NOTE: setting a MySQL password does not mean that a bad actor who has access to the data on your server cannot access the data. If I have a copy of your MySQL database, all I have to do is replace the grant tables and I have access to your database. You must encrypt your database to prevent this http://www.opendental.com/manual/encryption.html , and securing your network is always the first step http://www.opendental.com/manual/securityoverview.html . Open Dental would like to respond to the revised VU#619767. While it is true that Open Dental does not force clients to use MySQL passwords, it is important to give more context for what would be needed to exploit this. It is not true that an unauthenticated remote attacker can gain access just because an Open Dental user does not have a root password on a database. It would be true if an administrator of the database host network edge router also had added a specific port forwarding rule to forward traffic from a designated port to the database host server on the same port MySQL was set to send traffic from, which is a terrible idea. Users do not need to take action in this case, they need to continue to not intentionally expose Open Dental MySQL databases directly to the internet without our Middle Tier product(http://www.opendental.com/manual/middletier.html). If a bad actor has sufficient access to your network set up a port forwarding rule without you knowing, you are already completely compromised and a MySQL password is not helpful.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.