Endpoint

3/14/2018
09:35 AM
50%
50%

Medical Apps Come Packaged with Hardcoded Credentials

Vulnerabilities in DocuTrac applications also include weak encryption, according to Rapid7.

Two popular applications for medical records management contain hidden user accounts with hard-coded credentials that could be abused by hackers, a researcher has found.

Rapid7 today published a report on the newly discovered security vulnerabilities (CVE-2018-5551 and CVE-2018-5552) in DocuTrac's electronic medical record (EMR) software QuicDoc and Office Therapy billing software. DocuTrac software runs at some 5,000 healthcare practices, including county and state mental health facilities, employee assistance programs, behavioral health, and other facilities.

Three user accounts are created when the software is installed, and these accounts have high levels of access to the database, according to Rapid7, who handled the vuln disclosure on behalf of the independent researcher who discovered the flaws. The administrator setting up the software is neither warned of these accounts' existence nor has an option to change the passwords.

In addition, QuickDoc and Office Therapy use a single, hard-coded salt string for encryption. It's not clear precisely how much of the data stored by the system is encrypted, according to Rapid7, but it is clear that whatever is encrypted is less secure than it should be.

DocuTrac has been notified of the vulnerabilities and has not yet released a patch. In the meantime, Rapid 7 recommends limiting physical access to systems that can be used to log into the applications.

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14373
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. In TIFFFindField in tif_dirinfo.c, the structure tif is being dereferenced without first checking that the structure is not empty and has the requested fields (tif_foundfield). In the call sequences following from the affected library functions (TIFFVGetFiel...
CVE-2018-14374
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an empty fmt argument to unixErrorHandler in tif_unix.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFClientOpen, TIFFFdOpen, TIFFRawStripSize, TIFFCheckTile, TIFFComputeStrip,...
CVE-2018-14375
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow vulnerability can occur via an invalid or empty tif argument to TIFFRGBAImageOK in tif_getimage.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFReadRGBAImage, TIFFRGBAImageOK, and TIFFRGBAIm...
CVE-2018-14378
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an invalid or empty tif argument to TIFFWriteBufferSetup in tif_write.c, and it can be exploited (at a minimum) via the following high-level library API function: TIFFWriteTile.
CVE-2018-14363
PUBLISHED: 2018-07-17
An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not properly restrict '/' characters that may have unsafe interaction with cache pathnames.