# Vulnarability in Sirona Sidexis 4 stored default credentials (CVE-2019-11081 | Ticket # 222666)
## Details (1) * 2018-10-03: contacted vendor via E-Mail to contact@dentsplysirona.com * 2018-10-08: received phone call from vendor, forwarding it to the product owner * 2018-10-21: Sirona assigned their Service Request ID ("Vorgangsnummer"): 8000254664 * 2018-10-31: asking for news via E-Mail * 2018-11-06: receiving information to contact product owner directly (Name and E-Mail not listed here for privacy reasons)
## Details (2) * 2018-11-06: contacting product owner asking for news and a statement * 2018-12-04: re-sending request due to no response (receiving autoresponder this time) * 2018-12-21: received E-Mail from product owner stating that there might be more security issues in Sidexis 4, attached a [security whitepaper](https://www.bastolino.de/sidexis4securitywhitepaper.pdf) * 2018-12-22: reply to product owner asking how the bug will get fixed and by when; asking another question
## Details (3) * 2019-01-03: received response from product owner answering the "other" question, but no information about the bug * 2019-01-08: re-asking about the open questions * 2019-01-21: friendly reminder * 2019-04-10: application for CVE-number * 2019-04-10: public disclosure * 2019-04-10: assigned CVE-2019-11081 * 2019-04-11: informed product owner about CVE * 2019-05-13: got an email which informed me about the CVE to be exploited. Check back later for further informatuon.
## Mitigation (not recommended by vendor) * change password of user sidexis4service * update password in Windows Services for all services to be executed as user sidexis4service * update password in Windows Task Scheduler for all tasks to be executed as user sidexis4service (e.g. Backup-Jobs) * limit users rights (check if local administrator is required and remove if possible)
## Files -- Files removed due to unknown legal status (copyright) -- * [Sidexis 4 Security Whitepaper](https://www.bastolino.de/sidexis4securitywhitepaper.pdf) * [Sidexis 4 Spicker](https://www.bastolino.de/sidexis4spicker.pdf)
## Further Information affected versions (at least): 4.2, 4.3.1 product homepage: [dentyplysirona.com](//www.dentsplysirona.com/de-de/produkte/bildgebende-systeme/software/bildverarbeitung.html) CVSS-Score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:R/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:L (Base Score: 10.0)
### Impressum Bastolino Ingenieurbüro Sebastian Werner Königsallee 22 83471 Berchtesgaden E-Mail: [sw+homepage@bastolino.de](mailto:sw+homepage@bastolino.de) PGP-Key: [Download](pgp.key) mobil: +49 151 21590802 UID: DE309683473 [Impressum](/#/3) sowie [Erklärung zum Datenschutz](/datenschutz) [![100% Ökostrom](/images/netcup-oekostrom_en.png "100% Ökostrom")](https://www.netcup.de)