Hard-coded credentials placing dental offices at risk

Full Disclosure: CERT has known about the issue in Dentrix for more than a year and has remained silent

1 2 Page 2
Page 2 of 2

It isn't clear why CERT has stopped communicating on VU #176231, but experts familiar with process of working with them to disclose an issue have told Salted Hash that silence isn't uncommon.

Security experts look to CERT to stay current on the latest developments on flaws and vulnerabilities. But if CERT sits on information that has been responsibly disclosed and never shares with the public, then organizations are sitting in the dark, lacking crucial information that could be used to prevent a security incident.

"When a medical company opts to ignore a reported vulnerability, especially when the researcher went out of their way to report and work with the vendor citing patient data concerns, it is disturbing and telling," said Brian Martin of Risk Based Security.

"In this case, it is quite troubling that Dentrix is not being responsive to the researcher, not providing a timely solution, and not working with him to further test software patches. Instead, they are relying on their same original flawed process for creating software updates, apparently refusing to implement security testing, and ultimately putting their customers further at risk.

"Even worse, the U.S. government body designed to help coordinate and disclose these vulnerabilities, along with viable solution information, doesn't appear to be helping at all. Working with vendors and being understanding of their development process is one thing, but allowing customers to be at continued risk for almost four years is unacceptable."

Shafer has demonstrated how the vulnerability works to Salted Hash, but in the interest of patient protection, he has requested that such details not be published. However, he did list a number of flaws in the software directly that have existed since version G5.

Due to the fact that most dental offices lack basic security, their databases and Dentrix installations are sitting ducks.

Some dental offices, Shafer explained, leave their server exposed to the DMZ in the router, or use weak wireless security, allowing the attacker to authenticate to the database over the Internet without ever stepping into the office. Given that Adobe Flash is used in Dentrix, an attacker could leverage a new or existing exploit and access patient records that way.

In their statement, Henry Schein said that they've updated to Faircom 10.3 in order to address some security concerns, and they've altered the password generation algorithm. However, despite these updates, Shafer was still able to determine the database GUID, admin password and DTXUSER password in Dentrix G6 using a wireless connection from a client's parking lot.

So while the company has updated various security controls in the years since, the vulnerability reported in 2013 still exists and can be exploited.

Salted Hash will continue to follow this story and report on any additional developments. Should CERT respond to questions - this story will be updated.

EDIT: Earlier instances of US-CERT in this article were altered on 20 MAY 2015 to CERT. Partially funded by the DHS (who fully funds US-CERT), the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CERT) is the organization that issued VU notes and handles disclosure.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies