{"vuid":"VU#116713","idnumber":"116713","name":"NCR SelfServ ATM dispenser software contains multiple vulnerabilities","keywords":null,"overview":"### Overview\r\nNCR SelfServ automated teller machines (ATMs) running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer.\r\n\r\n### Description\r\nNCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM.\r\n\r\n#### CVE-2020-9063\r\nUSB HID communications between the currency dispenser and the host computer are not authenticated or integrity protected and can be manipulated to cause a buffer overflow on the host. An attacker with physical access to internal ATM components can inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer.\r\n\r\n#### CVE-2020-10123\r\nThe currency dispenser component does not adequately authenticate session key generation requests from the host computer. An attacker with physical access to internal ATM components can generate a new session key that the attacker knows. This allows the attacker to issue valid commands to dispense currency. (CWE-305)\r\n\r\n### Impact\r\nAn attacker with physical access to the internal components of the ATM can execute arbitrary code on the host computer or withdraw currency.\r\n\r\n### Solution\r\nSoftware, hardware, firmware, and configuration updates may be necessary, depending upon the current state of a specific vulnerable ATM.\r\n\r\n#### Update software and hardware\r\nAPTRA XFS 05.01 stopped receiving support in 2015. Any customers still using unsupported software and hardware should upgrade at the earliest possible opportunity.\r\n\r\n#### Update firmware\r\nAPTRA XFS Dispenser Security Update 01.00.00 contains the following firmware updates:\r\n\r\n1. USBCurrencyDispenser 04.01.01, firmware 0x0167 (for S1 dispensers)\r\n2. USBMediaDispenser 03.04.00, firmware 0x0118 (for S2 dispensers)\r\n\r\n#### Update configuration\r\nIn addition to Dispenser Security Update 01.00.00, the Dispenser Protection Level and Dispenser Authentication Sequence parameters should be properly configured. The recommended configurations are: \r\n\r\n1. Dispenser Protection Level: Level 3 (Physical Protection) for S1 and S2 dispensers\r\n2. Dispenser Authentication Sequence: Sequence 2 or higher (for S1 dispensers), or Sequence 1 or higher (for S2 dispensers)\r\n\r\nSee the [NCR Secure Whitepaper](https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf) for further information.\r\n\r\nWhen implemented together, these mitigations address both CVE-2020-9063 and CVE-2020-10123.\r\n\r\n### Acknowledgements\r\nThese vulnerabilities were researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.\r\n\r\nCoordinating with Embedi was supported by *U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellon’s Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.*\r\n\r\nThis document was written by Eric Hatleback and Laurie Tyzenhaus.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf","https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf","https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf","https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf","https://home.treasury.gov/news/press-releases/sm0410","https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180611.aspx","https://www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_eo.pdf"],"cveids":["CVE-2020-10123","CVE-2020-9063"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2020-08-20T14:21:26.198629Z","publicdate":"2020-08-20T14:21:25.999222Z","datefirstpublished":"2020-08-20T14:21:26.209280Z","dateupdated":"2020-08-20T14:21:25.999213Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":14}