Details of VAR-201707-0779

ID

VAR-201707-0779

CVE

CVE-2017-11614

TITLE

MEDHOST Connex Vulnerabilities related to the use of hard-coded credentials

Trust: 0.8

sources: JVNDB: JVNDB-2017-006602

DESCRIPTION

MEDHOST Connex contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the database may be able to obtain or modify sensitive patient and financial information. Connex utilizes an IBM i DB2 user account for database access. The account name is HMSCXPDN. Its password is hard-coded in multiple places in the application. Customers do not have the option to change this password. The account has elevated DB2 roles, and can access all objects or database tables on the customer DB2 database. This account can access data through ODBC, FTP, and TELNET. Customers without Connex installed are still vulnerable because the MEDHOST setup program creates this account. MEDHOST Connex Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 1.62

sources: NVD: CVE-2017-11614 // JVNDB: JVNDB-2017-006602

AFFECTED PRODUCTS

vendor:	medhost	model:	connex	scope:	eq	version:	-	Trust: 1.6
vendor:	medhost	model:	connex	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2017-006602 // CNNVD: CNNVD-201707-1247 // NVD: CVE-2017-11614

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-11614
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-11614
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201707-1247
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2017-11614
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2017-11614
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2017-006602 // CNNVD: CNNVD-201707-1247 // NVD: CVE-2017-11614

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.8

sources: JVNDB: JVNDB-2017-006602 // NVD: CVE-2017-11614

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-1247

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201707-1247

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006602

PATCH

title:

Top Page

url:

http://www.medhost.com/

Trust: 0.8

sources: JVNDB: JVNDB-2017-006602

EXTERNAL IDS

db:	NVD	id:	CVE-2017-11614	Trust: 2.4
db:	JVNDB	id:	JVNDB-2017-006602	Trust: 0.8
db:	CNNVD	id:	CNNVD-201707-1247	Trust: 0.6

sources: JVNDB: JVNDB-2017-006602 // CNNVD: CNNVD-201707-1247 // NVD: CVE-2017-11614

REFERENCES

url:	http://seclists.org/fulldisclosure/2017/jul/59	Trust: 2.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11614	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11614	Trust: 0.8

sources: JVNDB: JVNDB-2017-006602 // CNNVD: CNNVD-201707-1247 // NVD: CVE-2017-11614

SOURCES

db:	JVNDB	id:	JVNDB-2017-006602
db:	CNNVD	id:	CNNVD-201707-1247
db:	NVD	id:	CVE-2017-11614

LAST UPDATE DATE

2025-04-20T23:38:28.943000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2017-006602	date:	2017-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201707-1247	date:	2017-09-21T00:00:00
db:	NVD	id:	CVE-2017-11614	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2017-006602	date:	2017-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201707-1247	date:	2017-07-25T00:00:00
db:	NVD	id:	CVE-2017-11614	date:	2017-07-25T17:29:00.357