{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/221785#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nDiebold Nixdorf 2100xe USB automated teller machines (ATMs) are vulnerable to physical attacks on the communication channel between the cash and check deposit module (CCDM) and the host computer. An attacker with physical access to internal ATM components may be able to exploit this vulnerability to commit deposit forgery.\r\n\r\n### Description\r\nDiebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer. An attacker with physical access to internal ATM components can intercept and modify messages, such as the amount and value of  currency being deposited, and send modified messages to the host computer.\r\n\r\nA similar vulnerability identified as [CVE-2020-10124](https://nvd.nist.gov/vuln/detail?vulnId=2020-10124) is decribed in [VU#815655](https://kb.cert.org/vuls/id/815655).  CVE-2020-10124 affects the bunch note acceptor (BNA) in ATMs supplied by a different vendor. The BNA is functionally similar to the CCDM.\r\n\r\n### Impact\r\nBy modifying deposit transaction messages, an attacker may be able to commit deposit forgery. Such an attack requires two separate transactions. The attacker must first deposit actual currency and modify messages from the CCDM to the host computer to indicate a greater amount or value than was actually deposited. Then the attacker must make a withdrawal for an artificially increased amount or value of currency. This second transaction may need to occur at an ATM operated by a different financial institution (i.e., a not-on-us or OFF-US transaction).\r\n\r\n### Solution\r\n#### Obtain advice from vendor\r\nDiebold Nixdorf released a document titled \"Potential CCDM Deposit Forgery\" on February 27, 2020 that details the recommended procedures for addressing this vulnerability. Contact the vendor to obtain the document.\r\n\r\n#### Apply an update\r\nThe vendor has released an update to secure communications between the CCDM and the host computer. Contact the vendor regarding this software update.\r\n\r\n#### Consider additional countermeasures\r\nIn addition to applying a software update, the vendor recommends limiting physical access to the ATM (including internal components), adjusting deposit transaction business logic, and implementing fraud monitoring. For details about these additional recommended countermeasures, contact the vendor.\r\n\r\n### Acknowledgements\r\nThis vulnerability was researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.\r\n\r\nCoordinating with Embedi was supported by *U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellon’s Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.*\r\n\r\nThis document was written by Eric Hatleback and Laurie Tyzenhaus.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Diebold Nixdorf is aware of this publication and support customers in identifying potential mitigations specific to their environment. For detailed information, please contact your local sales representative or your Diebold Nixdorf security expert at security@dieboldnixdorf.com.\r\n\r\nFor this specific case, the Fact Sheet “Potential CCDM Deposit Forgery” was published to inform about the potential risk and respective mitigations. In case you are member of the Banking Industry but have not received this Fact Sheet, please subscribe to ACTive Security Alerts and Fact Sheets to stay informed about security related communication.\r\n\r\nBanking related industry peers can register for a free subscription at info.gsp@dieboldnixdorf.com (contact and company details to be included).","title":"Vendor statment from Diebold Nixdorf"},{"category":"other","text":"Please contact Diebold Nixdorf directly if you need assistance with addressing this vulnerability.","title":"CERT/CC comment on Diebold Nixdorf notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/221785"},{"url":"https://home.treasury.gov/news/press-releases/sm0410","summary":"https://home.treasury.gov/news/press-releases/sm0410"},{"url":"https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180611.aspx","summary":"https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180611.aspx"},{"url":"https://www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_eo.pdf","summary":"https://www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_eo.pdf"}],"title":"Diebold Nixdorf ProCash 2100xe USB ATM does not adequately secure communications between CCDM and host","tracking":{"current_release_date":"2020-08-24T17:40:41+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#221785","initial_release_date":"2020-08-20 14:21:33.015909+00:00","revision_history":[{"date":"2020-08-24T17:40:41+00:00","number":"1.20200824174041.2","summary":"Released on 2020-08-24T17:40:41+00:00"}],"status":"final","version":"1.20200824174041.2"}},"vulnerabilities":[{"title":"Diebold Nixdorf ProCash 2100xe USB ATMs running  Wincor Probase version 1.","notes":[{"category":"summary","text":"Diebold Nixdorf ProCash 2100xe USB ATMs running  Wincor Probase version 1.1.30 do not encrypt, authenticate, nor verify the integrity of the message arriving at the host computer from the cash and check deposit module (CCDM)."}],"cve":"CVE-2020-9062","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#221785"}],"product_status":{"known_affected":["CSAFPID-1dd4b1c2-39ef-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Diebold Nixdorf","product":{"name":"Diebold Nixdorf Products","product_id":"CSAFPID-1dd4b1c2-39ef-11f1-8422-122e2785dc9f"}}]}}