Mirion Medical NMIS/BioDose Incorrect Permission Assignment and Authentication Vulnerabilities

Multiple vulnerabilities have been identified in Mirion Medical's NMIS/BioDose software, specifically in versions through 22.02. These vulnerabilities stem from incorrect permission assignments that allow unauthorized access to critical resources, reliance on client-side authentication, and the use of hard-coded credentials. The incorrect permission assignments can enable users on client workstations to modify program executables and libraries, as well as access sensitive information from the SQL Server database and configuration files. The authentication vulnerability arises because the software uses a common SQL Server user account for database access, creating a persistent access point that could be exploited. Additionally, the presence of hard-coded passwords in the application's executable binaries further compounds these security issues, potentially allowing unauthorized access to both the application and its database.

Impact

Exploitation of these vulnerabilities could lead to unauthorized access to the application and its database, allowing attackers to modify program executables, execute arbitrary code, and access sensitive information.

Remediation

Users are advised to update to version 23.0 or later. Those with an active support contract can contact Mirion Medical support for assistance.