Security News > 2020 > August > ATM makers fix flaws allowing illegal cash withdrawals

ATM makers fix flaws allowing illegal cash withdrawals
2020-08-21 08:45

ATM manufacturers Diebold Nixdorf and NCR have fixed a number of software vulnerabilities that allowed attackers to execute arbitrary code with or without SYSTEM privileges, and to make illegal cash withdrawals by committing deposit forgery and issueing valid commands to dispense currency.

"Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the cash and check deposit module and the host computer. An attacker with physical access to internal ATM components can intercept and modify messages, such as the amount and value of currency being deposited, and send modified messages to the host computer," the CERT Coordination Center at Carnegie Mellon University explained the root of CVE-2020-9062.

A deposit forgery attack starts with the attacker depositing actual currency and modifying messages from the CCDM to the host computer to indicate a greater amount or value than was actually deposited, and ends with the attacker making a withdrawal of this artificially increased amount or value of currency.

CVE-2020-10123 is caused by the currency dispenser's inadequate authentication of session key generation requests from the host computer, allowing the attacker to issue valid commands to dispense currency.

To exploit all of these flaws, attackers must have physical access to internal ATM components, but if they succeed, they can fiddle with the host system and steal money from banks.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/kmyt6QZo_Rs/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-08-21 CVE-2020-10123 Improper Authentication vulnerability in NCR Aptra XFS 04.02.01/05.01.00
The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.
low complexity
ncr CWE-287
5.3
2020-08-21 CVE-2020-9062 Missing Encryption of Sensitive Data vulnerability in Dieboldnixdorf Probase 1.1.30
Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an attacker with physical access to internal ATM components to commit deposit forgery by intercepting and modifying messages to the host computer, such as the amount and value of currency being deposited.
low complexity
dieboldnixdorf CWE-311
5.3