CVE-2024-11308 - Vulnerability Details - OpenCVE

The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Trcore	Dvc

Configuration 1 [-]

cpe:2.3:a:trcore:dvc:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-33719	The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.

Fixes

Solution

Update to version 6.4 or later.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/en/cp-139-8241-1af92-2.html
https://www.twcert.org.tw/tw/cp-132-8240-562c3-1.html

History

Wed, 20 Nov 2024 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-Other

Mon, 18 Nov 2024 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trcore Trcore dvc
CPEs		cpe:2.3:a:trcore:dvc::::::::
Vendors & Products		Trcore Trcore dvc
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 Nov 2024 06:15:00 +0000

Type	Values Removed	Values Added
Description		The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.
Title		TRCore DVC - Use of Hard-coded Cryptographic Key
Weaknesses		CWE-321
References		https://www.twcert.org.tw/en/cp-139-8241-1af92-2.html https://www.twcert.org.tw/tw/cp-132-8240-562c3-1.html
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-11-18T05:59:30.085Z

Updated: 2024-11-18T13:57:50.912Z

Reserved: 2024-11-18T01:44:48.085Z

Link: CVE-2024-11308

Vulnrichment

Updated: 2024-11-18T13:50:19.316Z

NVD

Status : Analyzed

Published: 2024-11-18T06:15:04.263

Modified: 2024-11-20T15:17:52.307

Link: CVE-2024-11308

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11308", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-11-18T01:44:48.085Z", "datePublished": "2024-11-18T05:59:30.085Z", "dateUpdated": "2024-11-18T13:57:50.912Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DVC", "vendor": "TRCore", "versions": [{"lessThanOrEqual": "6.3", "status": "affected", "version": "6.0", "versionType": "custom"}]}], "datePublic": "2024-11-18T05:56:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "  The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content."}], "value": "The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content."}], "impacts": [{"capecId": "CAPEC-191", "descriptions": [{"lang": "en", "value": "CAPEC-191 Read Sensitive Constants Within an Executable"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-11-18T05:59:30.085Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-8240-562c3-1.html"}, {"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/en/cp-139-8241-1af92-2.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to version 6.4 or later.<br>"}], "value": "Update to version 6.4 or later."}], "source": {"advisory": "TVN-202411015", "discovery": "EXTERNAL"}, "title": "TRCore DVC - Use of Hard-coded Cryptographic Key", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-18T13:46:42.401985Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:trcore:dvc:*:*:*:*:*:*:*:*"], "vendor": "trcore", "product": "dvc", "versions": [{"status": "affected", "version": "6.0", "versionType": "custom", "lessThanOrEqual": "6.3"}], "defaultStatus": "unknown"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T13:57:50.912Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-18T13:46:42.401985Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:trcore:dvc:*:*:*:*:*:*:*:*"], "vendor": "trcore", "product": "dvc", "versions": [{"status": "affected", "version": "6.0", "versionType": "custom", "lessThanOrEqual": "6.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T13:50:19.316Z"}}], "cna": {"title": "TRCore DVC - Use of Hard-coded Cryptographic Key", "source": {"advisory": "TVN-202411015", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-191", "descriptions": [{"lang": "en", "value": "CAPEC-191 Read Sensitive Constants Within an Executable"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TRCore", "product": "DVC", "versions": [{"status": "affected", "version": "6.0", "versionType": "custom", "lessThanOrEqual": "6.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to version 6.4 or later.", "supportingMedia": [{"type": "text/html", "value": "Update to version 6.4 or later.<br>", "base64": false}]}], "datePublic": "2024-11-18T05:56:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-8240-562c3-1.html", "tags": ["third-party-advisory"]}, {"url": "https://www.twcert.org.tw/en/cp-139-8241-1af92-2.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.", "supportingMedia": [{"type": "text/html", "value": "  The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-11-18T05:59:30.085Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11308", "state": "PUBLISHED", "dateUpdated": "2024-11-18T13:57:50.912Z", "dateReserved": "2024-11-18T01:44:48.085Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-11-18T05:59:30.085Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trcore:dvc:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEBC9960-DCCF-4107-9B47-F37CD5F4DAF9", "versionEndExcluding": "6.4", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content."}, {"lang": "es", "value": "El DVC de TRCore cifra los archivos mediante una clave codificada. Los atacantes pueden utilizar esta clave para descifrar los archivos y restaurar el contenido original."}], "id": "CVE-2024-11308", "lastModified": "2024-11-20T15:17:52.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2024-11-18T06:15:04.263", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/en/cp-139-8241-1af92-2.html"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-8240-562c3-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-321"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}