Description
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled by default. The service registers a TCP remoting channel with SOAP and binary formatters configured at TypeFilterLevel=Full and exposes default ObjectURI endpoints. A remote, unauthenticated attacker who can reach the remoting port can invoke the exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-202182
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2025-202182 affects the Entrust Instant Financial Issuance (IFI) On Premise software, specifically versions 5.x, prior to 6.10.5, and prior to 6.11.1. The issue lies in the Legacy Remoting Service, which is enabled by default and exposes a TCP remoting channel with SOAP and binary formatters configured at TypeFilterLevel=Full. This configuration allows for the invocation of remoting objects by unauthenticated attackers, leading to severe security implications.
Severity Evaluation:
- CVSS Base Score: 9.3
- CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
The high CVSS score indicates a critical vulnerability due to the following factors:
- Attack Vector (AV:N): Network-based attack
- Attack Complexity (AC:L): Low complexity
- Authentication (AT:N): No authentication required
- Privileges Required (PR:N): No privileges required
- User Interaction (UI:N): No user interaction required
- Confidentiality (VC:H), Integrity (VI:H), Availability (VA:H): High impact on all three
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Remote Unauthenticated Access: An attacker can exploit the vulnerability over the network without needing any authentication.
- Default Configuration: The Legacy Remoting Service is enabled by default, making it a prime target.
Exploitation Methods:
- Arbitrary File Read: Attackers can read arbitrary files from the server, potentially exposing sensitive data.
- Outbound Authentication Coercion: Attackers can coerce the server to authenticate to external services, leading to further compromise.
- Arbitrary File Write and Remote Code Execution: Using known .NET Remoting exploitation techniques, attackers can write arbitrary files and execute remote code, leading to full system compromise.
3. Affected Systems and Software Versions
Affected Software:
- Entrust Instant Financial Issuance (IFI) On Premise software versions:
- 5.x
- 6.0 < 6.10.5
- 6.0 < 6.11.1
Affected Systems:
- Any system running the affected versions of the Entrust IFI software with the Legacy Remoting Service enabled.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Disable the Legacy Remoting Service: Immediately disable the Legacy Remoting Service if it is not required.
- Network Segmentation: Isolate the affected systems from the network to limit exposure.
- Firewall Rules: Implement strict firewall rules to block access to the remoting port.
Long-Term Mitigation:
- Update Software: Upgrade to the latest patched versions of the Entrust IFI software (6.10.5 or 6.11.1 and above).
- Configuration Review: Review and harden the configuration of the IFI software to ensure secure settings.
- Regular Audits: Conduct regular security audits and vulnerability assessments.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to the European cybersecurity landscape, particularly for financial institutions and organizations using the Entrust IFI software. The potential for unauthenticated remote code execution and data exfiltration can lead to severe financial and reputational damage. Organizations must prioritize patching and securing their systems to mitigate this risk.
6. Technical Details for Security Professionals
Technical Overview:
- .NET Remoting: The vulnerability exploits the .NET Remoting framework, which allows objects to be invoked across different application domains.
- TypeFilterLevel=Full: This setting allows for the deserialization of any object, making it a critical point of exploitation.
- Default ObjectURI Endpoints: The default endpoints expose remoting objects that can be invoked by attackers.
Detection and Monitoring:
- Network Monitoring: Implement network monitoring to detect unusual traffic patterns, especially on the remoting port.
- Log Analysis: Analyze logs for any unauthorized access attempts or suspicious activities related to the remoting service.
- Intrusion Detection Systems (IDS): Deploy IDS to detect and alert on potential exploitation attempts.
Incident Response:
- Containment: Immediately contain the affected systems to prevent further spread.
- Forensic Analysis: Conduct a thorough forensic analysis to determine the extent of the compromise.
- Remediation: Apply patches and updates, and ensure all systems are secured according to best practices.
Conclusion: The vulnerability described in EUVD-2025-202182 is critical and requires immediate attention from organizations using the affected versions of the Entrust IFI software. By following the recommended mitigation strategies and maintaining vigilant security practices, organizations can significantly reduce the risk of exploitation and protect their systems from potential attacks.