An issue in PDQ Smart Deploy V.3.0.2040 allows an attacker to escalate privileges via the Credential encryption routines in SDCommon.dll
The SDCommon.dll library included in PDQ Smart Deploy implements authentication data encryption procedures in a manner vulnerable to attack — according to the description and reference title suggesting the use of static cryptographic keys. An attacker can exploit weaknesses in these procedures to obtain or decrypt stored authentication data. Data obtained this way allows for privilege escalation in the system or environment managed by Smart Deploy.
An attacker can obtain higher privileges in the system, potentially taking control of the environment managed by PDQ Smart Deploy. The consequence of a successful attack is a breach of confidentiality, integrity, and availability of the system.
Apply patches available from the vendor according to the references — details available at https://www.pdq.com/products/smartdeploy/. It is also recommended to review stored authentication data and rotate passwords for accounts used in the Smart Deploy environment.
PDQ Smart Deploy version V.3.0.2040
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPdq Smart Deploy
APPPdq< 3.0.2046