# Vulnarability in Sirona Sidexis 4 stored default credentials (CVE-2019-11081 | Ticket # 222666)

Details (1)

• 2018-10-03: contacted vendor via E-Mail to contact@dentsplysirona.com

• 2018-10-08: received phone call from vendor, forwarding it to the product owner

• 2018-10-21: Sirona assigned their Service Request ID ("Vorgangsnummer"): 8000254664

• 2018-10-31: asking for news via E-Mail

• 2018-11-06: receiving information to contact product owner directly (Name and E-Mail not listed here for privacy reasons)

Details (2)

• 2018-11-06: contacting product owner asking for news and a statement

• 2018-12-04: re-sending request due to no response (receiving autoresponder this time)

• 2018-12-21: received E-Mail from product owner stating that there might be more security issues in Sidexis 4, attached a security whitepaper

• 2018-12-22: reply to product owner asking how the bug will get fixed and by when; asking another question

Details (3)

• 2019-01-03: received response from product owner answering the "other" question, but no information about the bug

• 2019-01-08: re-asking about the open questions

• 2019-01-21: friendly reminder

• 2019-04-10: application for CVE-number

• 2019-04-10: public disclosure

• 2019-04-10: assigned CVE-2019-11081

• 2019-04-11: informed product owner about CVE

• 2019-05-13: got an email which informed me about the CVE to be exploited. Check back later for further informatuon.

Mitigation (not recommended by vendor)

• change password of user sidexis4service

• update password in Windows Services for all services to be executed as user sidexis4service

• update password in Windows Task Scheduler for all tasks to be executed as user sidexis4service (e.g. Backup-Jobs)

• limit users rights (check if local administrator is required and remove if possible)

Files

-- Files removed due to unknown legal status (copyright) --

Sidexis 4 Security Whitepaper

Sidexis 4 Spicker

Further Information

affected versions (at least): 4.2

product homepage:

dentyplysirona.com

CVSS-Score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:R/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:L

(Base Score: 10.0)

Impressum

Impressum sowie Erklärung zum Datenschutz