CVE-2017-6022 in PerformA
Summary
by MITRE
A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/21/2019
The vulnerability identified as CVE-2017-6022 represents a critical security flaw in medical device software systems manufactured by Becton Dickinson and Company. This issue affects two distinct software products: BD PerformA version 2.0.14.0 and earlier, and KLA Journal Service version 1.0.51 and earlier. The flaw manifests through the use of hard-coded passwords within the authentication mechanisms of these applications, creating a persistent security weakness that undermines the integrity of patient data protection. The affected systems utilize these hardcoded credentials to establish connections with the BD Kiestra Database, which serves as a repository for sensitive medical information including protected health information and personally identifiable information.
The technical implementation of this vulnerability stems from poor security design practices where developers embedded static authentication credentials directly into the software source code or configuration files. This approach violates fundamental security principles and creates a scenario where the same password remains unchanged across multiple installations and deployments. According to CWE-798, this represents a weakness category involving the use of hard-coded credentials, which directly enables unauthorized access to sensitive systems. The vulnerability specifically targets the database access layer where applications attempt to establish connections to the BD Kiestra Database, making the entire information system susceptible to compromise through a single point of failure.
The operational impact of CVE-2017-6022 extends beyond simple unauthorized access to create significant risks for patient privacy and healthcare security. Attackers who discover or reverse-engineer these hardcoded credentials can gain access to limited PHI/PII stored within the BD Kiestra Database, potentially exposing sensitive medical records and personal information. This threat is particularly concerning in healthcare environments where regulatory compliance with HIPAA standards is mandatory, and unauthorized access to patient data can result in severe legal and financial consequences. The vulnerability creates a persistent risk that remains active until the software is properly updated, as the hardcoded passwords cannot be changed without modifying the application code itself. This aligns with ATT&CK technique T1078 which describes legitimate credentials being used to bypass security controls.
Organizations utilizing affected software should immediately implement comprehensive mitigation strategies to address this vulnerability. The primary remediation approach involves updating to patched versions of both BD PerformA and KLA Journal Service where the hardcoded passwords have been replaced with dynamically generated or user-configurable authentication mechanisms. Security administrators should also conduct thorough inventory assessments to identify all installations of these vulnerable applications across their network infrastructure. Additional protective measures include implementing network segmentation to isolate database access, monitoring for unauthorized access attempts, and conducting regular security audits of authentication mechanisms. The vulnerability demonstrates the critical importance of following secure coding practices and avoiding hardcoded credentials in production systems, particularly within healthcare environments where data protection is paramount. Organizations should also establish robust patch management processes to ensure timely deployment of security updates and maintain awareness of similar vulnerabilities in other medical device software components.