CVE-2017-11614

Name of the Vulnerable Software and Affected Versions MEDHOST Connex (affected versions not specified)

Description The issue concerns hard-coded credentials in MEDHOST Connex, which is used for customer database access. An attacker with knowledge of these credentials and direct communication with the database may obtain or modify sensitive patient and financial information. The application utilizes an IBM i DB2 user account, named HMSCXPDN, with a hard-coded password that cannot be changed by customers. This account has elevated DB2 roles, allowing access to all database objects or tables. Data can be accessed through ODBC, FTP, and TELNET. Even customers without Connex installed are vulnerable because the MEDHOST setup program creates this account.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.