CVE-2024-39342

EUVD-2024-37907

23.09.2024, 18:15

Entrust Instant Financial Issuance (formerly known as Cardwizard) 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier uses a DLL library (i.e. DCG.Security.dll) with a custom AES encryption process that relies on static hard-coded key values. These keys are not uniquely generated per installation of the software. Combined with the encrypted password that can be obtained from "WebAPI.cfg.xml" in CVE-2024-39341, the decryption is trivial and can lead to privilege escalation on the Windows host.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.6 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
entrust_instant_financial_issuance	entrust_instant_financial_issuance	𝑥 ≤ 6.10.0	ADP
entrust_instant_financial_issuance	entrust_instant_financial_issuance	𝑥 ≤ 6.9.0	ADP
entrust_instant_financial_issuance	entrust_instant_financial_issuance	𝑥 ≤ 6.9.1	ADP
entrust_instant_financial_issuance	entrust_instant_financial_issuance	𝑥 ≤ 6.9.2	ADP
entrust_instant_financial_issuance	entrust_instant_financial_issuance	𝑥 ≤ 6.8.x	ADP

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://gist.github.com/VAMorales/21a8700a67d80c263b38e693fd528313

https://trustedcare.entrust.com/login

https://www.entrust.com/