{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/116713#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nNCR SelfServ automated teller machines (ATMs) running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer.\r\n\r\n### Description\r\nNCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM.\r\n\r\n#### CVE-2020-9063\r\nUSB HID communications between the currency dispenser and the host computer are not authenticated or integrity protected and can be manipulated to cause a buffer overflow on the host. An attacker with physical access to internal ATM components can inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer.\r\n\r\n#### CVE-2020-10123\r\nThe currency dispenser component does not adequately authenticate session key generation requests from the host computer. An attacker with physical access to internal ATM components can generate a new session key that the attacker knows. This allows the attacker to issue valid commands to dispense currency. (CWE-305)\r\n\r\n### Impact\r\nAn attacker with physical access to the internal components of the ATM can execute arbitrary code on the host computer or withdraw currency.\r\n\r\n### Solution\r\nSoftware, hardware, firmware, and configuration updates may be necessary, depending upon the current state of a specific vulnerable ATM.\r\n\r\n#### Update software and hardware\r\nAPTRA XFS 05.01 stopped receiving support in 2015. Any customers still using unsupported software and hardware should upgrade at the earliest possible opportunity.\r\n\r\n#### Update firmware\r\nAPTRA XFS Dispenser Security Update 01.00.00 contains the following firmware updates:\r\n\r\n1. USBCurrencyDispenser 04.01.01, firmware 0x0167 (for S1 dispensers)\r\n2. USBMediaDispenser 03.04.00, firmware 0x0118 (for S2 dispensers)\r\n\r\n#### Update configuration\r\nIn addition to Dispenser Security Update 01.00.00, the Dispenser Protection Level and Dispenser Authentication Sequence parameters should be properly configured. The recommended configurations are: \r\n\r\n1. Dispenser Protection Level: Level 3 (Physical Protection) for S1 and S2 dispensers\r\n2. Dispenser Authentication Sequence: Sequence 2 or higher (for S1 dispensers), or Sequence 1 or higher (for S2 dispensers)\r\n\r\nSee the [NCR Secure Whitepaper](https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf) for further information.\r\n\r\nWhen implemented together, these mitigations address both CVE-2020-9063 and CVE-2020-10123.\r\n\r\n### Acknowledgements\r\nThese vulnerabilities were researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.\r\n\r\nCoordinating with Embedi was supported by *U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellon’s Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.*\r\n\r\nThis document was written by Eric Hatleback and Laurie Tyzenhaus.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The security of NCR’s cash dispenser module is critically important, and NCR continuously upgrades and improves the resistance of these modules to attack, including the class of attack known as ‘black box’ where the attacker has access to the communications cable to the dispenser. NCR advises all customers that it is critically important that APTRA XFS software is kept up to date to ensure that the latest security patches are always installed. We note that the version of software referenced in this report, APTRA XFS 05.01 was released in 2010, and discontinued for support in 2015. Any customer still using unsupported software should upgrade at the earliest possible opportunity. For advice on upgrade versions, NCR would direct our customers to the latest advisory for dispenser software, attached, which will protect from all known ‘Black Box’ attack methods, including the issues identified in this report.","title":"Vendor statment from NCR Corporation"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on NCR Corporation notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/116713"},{"url":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf","summary":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf"},{"url":"https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf","summary":"https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf"},{"url":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf","summary":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf"},{"url":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf","summary":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf"},{"url":"https://home.treasury.gov/news/press-releases/sm0410","summary":"https://home.treasury.gov/news/press-releases/sm0410"},{"url":"https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180611.aspx","summary":"https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180611.aspx"},{"url":"https://www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_eo.pdf","summary":"https://www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_eo.pdf"},{"url":"https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf","summary":"Reference(s) from vendor \"NCR Corporation\""}],"title":"NCR SelfServ ATM dispenser software contains multiple vulnerabilities","tracking":{"current_release_date":"2020-08-20T14:21:25+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#116713","initial_release_date":"2020-08-20 14:21:25.999222+00:00","revision_history":[{"date":"2020-08-20T14:21:25+00:00","number":"1.20200820142125.1","summary":"Released on 2020-08-20T14:21:25+00:00"}],"status":"final","version":"1.20200820142125.1"}},"vulnerabilities":[{"title":"The communications bus between the HID and the dispenser is vulnerable to buffer overflow.","notes":[{"category":"summary","text":"The communications bus between the HID and the dispenser is vulnerable to buffer overflow. An attacker with physical access can insert a malicious payload or execute arbitrary code with SYSTEM privileges."}],"cve":"CVE-2020-9063","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#116713"}],"product_status":{"known_affected":["CSAFPID-18371f34-39ef-11f1-8422-122e2785dc9f"]}},{"title":"The session key, which is designed to protect communications between the host computer and the currency dispenser, implements a weak encryption scheme.","notes":[{"category":"summary","text":"The session key, which is designed to protect communications between the host computer and the currency dispenser, implements a weak encryption scheme. An attacker with physical access can intercept the weak session key and generate a new session key. Doing so enables the attacker to send commands to the dispenser to dispense currency."}],"cve":"CVE-2020-10123","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#116713"}],"product_status":{"known_affected":["CSAFPID-1837b4d0-39ef-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"NCR Corporation","product":{"name":"NCR Corporation Products","product_id":"CSAFPID-18371f34-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NCR Corporation","product":{"name":"NCR Corporation Products","product_id":"CSAFPID-1837b4d0-39ef-11f1-8422-122e2785dc9f"}}]}}