CVE-2017-11614 has been created. More info on the password. It is 8 characters long, contains no special characters or numbers and is dictionary based. Can be brute forced easily.
On Mon, Jul 24, 2017 at 5:12 PM, Allen F <[email protected]> wrote: > Overview > ------------ > > MEDHOST Connex for all versions contains hard-coded credentials that > are used for customer > database access. This is a new vulnerability not related to CVE-2016-4328. > > Description > ------------ > > MEDHOST Connex contains hard-coded credentials that are used for > customer database > access. An attacker with knowledge of the hard-coded credentials and the > ability > to communicate directly with the database may be able to obtain > or modify sensitive patient and financial information. > > Connex utilizes an IBM i DB2 user account for database access. The > account name is HMSCXPDN. > This password is hard-coded in multiple places of the application. > Customers do not have the option to change this password. The account > has elevated DB2 roles, and can access all objects or database tables > on the customer DB2 database. This account can access data through > odbc, ftp, and telnet. > > Customers w/o Connex installed are still vulnerable. The MEDHOST setup > program creates this account. Connex provides connectivity to exchange > clinical information with the MEDHOST application. /1 > > Impact > ------------ > > An attacker with knowledge of the hard-coded credentials and the > ability to communicate > directly with the application database server may be able to obtain or > modify patient > and financial information. > > Solution > ------------ > > The vendor has not issued a patch and has been unresponsive to this > information after 3 attempts > to communicate. > > Restrict network access > > As a general security practice, only allow connections from trusted > hosts and networks. > Restricting access would prevent an attacker from using the hard-coded > database credentials > from a blocked network location. > > References > > /1 > http://www.clinical-innovation.com/topics/health-it/himss-hms-launches-hms-connex-showcase-ambulatory-ehr _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
