CVE-2024-36496

June 24, 2024, 12:57 p.m.

Tags

CWE-798
551230f0-3615-47bd-b7cc-93e92e730bbf
2024-06-24
CVE-2024-36496

Product(s) Impacted

UNKNOWN

Description

The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters.

Weaknesses

CWE-798
Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

CWE ID: 798

Date

Published: June 24, 2024, 9:15 a.m.

Last Modified: June 24, 2024, 12:57 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

551230f0-3615-47bd-b7cc-93e92e730bbf

References

https://r.sec-consult.com/winselect
551230f0-3615-47bd-b7cc-93e92e730bbf
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
551230f0-3615-47bd-b7cc-93e92e730bbf