CERT/CC Warns of Vulnerabilities in Diebold Nixdorf, NCR ATMs
The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has published alerts on several vulnerabilities that impact Diebold Nixdorf ProCash and NCR SelfServ automated teller machines (ATMs).
A vulnerability in the Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30, CERT/CC reveals, could be abused by an attacker with physical access to internal machine components to commit deposit forgery.
The issue exists because the vulnerable devices do not encrypt, authenticate, or verify the integrity of messages transmitted between the cash and check deposit module (CCDM) and the host computer.
“An attacker with physical access to internal ATM components can intercept and modify messages, such as the amount and value of currency being deposited, and send modified messages to the host computer,” the CERT/CC alert reads.
To commit deposit forgery, an attacker would need to perform two separate transactions. First, they would need to deposit actual currency and modify the transmitted messages to indicate that a larger amount was deposited, after which they would need to withdraw an artificially increased amount.
Diebold Nixdorf has issued an update to secure the communication between the CCDM and the host computer, and also published a document detailing procedures for addressing the vulnerability.
Physical attacks are possible against NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 as well, CERT/CC reveals in two separate alerts.
The first issue (CVE-2020-10124) impacts the communications bus between the host computer and the bunch note accepter (BNA), and exists because the machine does not encrypt, authenticate, or verify the integrity of messages between the two components.
The ATMs also use 512-bit RSA certificates to validate BNA software updates (CVE-2020-10125), which can be broken by an attacker fast enough to allow them sign arbitrary files, bypass application whitelisting, and execute arbitrary code on the machine.
Because the device doesn’t properly validate software updates for the BNA (CVE-2020-10126), an attacker with physical access could execute arbitrary code with SYSTEM privileges by restarting the machine to initiate the update process.
Devices running APTRA XFS 06.08 are no longer impacted by these vulnerabilities. The update increases the strength of the RSA keys and addresses the bypass of the digital signature check.
Two other vulnerabilities affect the communications bus between the currency dispenser component and the host computer of NCR SelfServ ATMs running APTRA XFS 05.01.00 or older.
The USB HID communications between the two are not authenticated and their identity is not protected (CVE-2020-9063), thus allowing a physical attacker cause a buffer overflow to inject a malicious payload, and run arbitrary code with SYSTEM privileges.
Furthermore, because the currency dispenser component fails to authenticate session key generation requests (CVE-2020-10123), the attacker could generate a new session key and issue commands to dispense currency.
With APTRA XFS 05.01 reaching the end of life in 2015, machines running unsupported software and hardware should be upgraded as soon as possible. APTRA XFS Dispenser Security Update 01.00.00 has been issued for both S1 and S2 dispensers.
All of these vulnerabilities were identified and reported by security researchers associated with Embedi, which in June 2018 was sanctioned by the U.S. Department of Treasury because Digital Security, which, as of May 2017, owned or controlled Embedi, has provided “material and technological support” to Russia’s Federal Security Service (FSB).
Related: The Latest Threats to ATM Security