CVE-2024-39342

Vulnerability

Overview

The vulnerability lies in the Entrust Instant Financial Issuance (formerly Cardwizard) software, where the DCG.Security.dll library employs a custom AES encryption process that relies on static, hard-coded key values [1]. These keys are not unique per installation, meaning every deployment of the affected versions shares the same cryptographic material.

Exploitation

Prerequisites

To exploit this weakness, an attacker must first obtain the encrypted password from the WebAPI.cfg.xml configuration file, as described in CVE-2024-39341 [1]. That file can be retrieved without authentication over HTTP port 80 by guessing the correct IIS webroot path (e.g., /cardwizardAPI_/WebAPI.cfg.xml). With the encrypted password in hand and the static AES keys from the corresponding software version, decryption becomes trivial.

Impact

Successful decryption of the stored password can lead to privilege escalation on the Windows host running the Instant Financial Issuance software [1]. An attacker gaining elevated privileges could potentially compromise the entire system, access sensitive data, or pivot to other internal resources.

Mitigation

Entrust has released a security bulletin (E24-003) to address these issues, and Instant Financial Issuance as a Service (version 8.x) is not affected [1]. Users of on-premise versions 6.10.0, 6.9.x, 6.8.x, and earlier should apply the vendor-supplied fix or follow the guidance provided in the bulletin to secure their installations.