New England Municipal Resource Center (NEMRC) Software Vulnerabilities Disclosure
Most municipalities in Vermont rely on software called NEMRC made by the New England Municipal Resource Center (NEMRC) for holding town and resident data. Working with clients, simpleroute previously identified three critical vulnerabilities in the NEMRC software in December, 2017. These were reported to NEMRC in January, 2018. NEMRC’s public listing of clients shows over 300 entities using some form of their software, some or all of which may have been affected. Evidence from client backups show that at least one of these vulnerabilities date back as far as 2006.
The discovered vulnerabilities affect municipal worker social security numbers (SSNs), tax payer payment records (particularly banking and routing information) as well as the backup transport previously used before the December 2018 patch release.
Our team feels strongly that we have a civic, moral and ethical responsibility to release these findings for public review. A significant window has been allowed for the software vendor to make modifications and patch the vulnerabilities we detail in our findings. Please review our full findings below for full details:
All NEMRC customers are strongly advised to immediately update to the latest version of the software. All published vulnerabilities have been confirmed fixed in the latest release as detailed in our full disclosure.