[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPtV237tYVoDkkoLh_MbHeUyu4C0wuk4tCtBRqw++hdDB6r8HQ@mail.gmail.com>
Date: Tue, 25 Jul 2017 13:15:25 -0500
From: Allen Franks <afranks2131@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] MEDHOST Connex contains hard-coded database credentials
CVE-2017-11614 has been created. More info on the password. It is 8
characters long, contains no special characters or numbers and is
dictionary based. Can be brute forced easily.
On Mon, Jul 24, 2017 at 5:12 PM, Allen F <afranks2131@...il.com> wrote:
> Overview
> ------------
>
> MEDHOST Connex for all versions contains hard-coded credentials that
> are used for customer
> database access. This is a new vulnerability not related to CVE-2016-4328.
>
> Description
> ------------
>
> MEDHOST Connex contains hard-coded credentials that are used for
> customer database
> access. An attacker with knowledge of the hard-coded credentials and the ability
> to communicate directly with the database may be able to obtain
> or modify sensitive patient and financial information.
>
> Connex utilizes an IBM i DB2 user account for database access. The
> account name is HMSCXPDN.
> This password is hard-coded in multiple places of the application.
> Customers do not have the option to change this password. The account
> has elevated DB2 roles, and can access all objects or database tables
> on the customer DB2 database. This account can access data through
> odbc, ftp, and telnet.
>
> Customers w/o Connex installed are still vulnerable. The MEDHOST setup
> program creates this account. Connex provides connectivity to exchange
> clinical information with the MEDHOST application. /1
>
> Impact
> ------------
>
> An attacker with knowledge of the hard-coded credentials and the
> ability to communicate
> directly with the application database server may be able to obtain or
> modify patient
> and financial information.
>
> Solution
> ------------
>
> The vendor has not issued a patch and has been unresponsive to this
> information after 3 attempts
> to communicate.
>
> Restrict network access
>
> As a general security practice, only allow connections from trusted
> hosts and networks.
> Restricting access would prevent an attacker from using the hard-coded
> database credentials
> from a blocked network location.
>
> References
>
> /1 http://www.clinical-innovation.com/topics/health-it/himss-hms-launches-hms-connex-showcase-ambulatory-ehr
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists