CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
69.4%
NCR SelfServ automated teller machines (ATMs) running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer.
NCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM.
USB HID communications between the currency dispenser and the host computer are not authenticated or integrity protected and can be manipulated to cause a buffer overflow on the host. An attacker with physical access to internal ATM components can inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer.
The currency dispenser component does not adequately authenticate session key generation requests from the host computer. An attacker with physical access to internal ATM components can generate a new session key that the attacker knows. This allows the attacker to issue valid commands to dispense currency. (CWE-305)
An attacker with physical access to the internal components of the ATM can execute arbitrary code on the host computer or withdraw currency.
Software, hardware, firmware, and configuration updates may be necessary, depending upon the current state of a specific vulnerable ATM.
APTRA XFS 05.01 stopped receiving support in 2015. Any customers still using unsupported software and hardware should upgrade at the earliest possible opportunity.
APTRA XFS Dispenser Security Update 01.00.00 contains the following firmware updates:
In addition to Dispenser Security Update 01.00.00, the Dispenser Protection Level and Dispenser Authentication Sequence parameters should be properly configured. The recommended configurations are:
See the NCR Secure Whitepaper for further information.
When implemented together, these mitigations address both CVE-2020-9063 and CVE-2020-10123.
These vulnerabilities were researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.
Coordinating with Embedi was supported by U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellonโs Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.
This document was written by Eric Hatleback and Laurie Tyzenhaus.
116713
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2020-08-12 Updated: 2020-08-20 CVE-2020-10123 | Affected |
---|---|
CVE-2020-9063 | Affected |
The security of NCRโs cash dispenser module is critically important, and NCR continuously upgrades and improves the resistance of these modules to attack, including the class of attack known as โblack boxโ where the attacker has access to the communications cable to the dispenser. NCR advises all customers that it is critically important that APTRA XFS software is kept up to date to ensure that the latest security patches are always installed. We note that the version of software referenced in this report, APTRA XFS 05.01 was released in 2010, and discontinued for support in 2015. Any customer still using unsupported software should upgrade at the earliest possible opportunity. For advice on upgrade versions, NCR would direct our customers to the latest advisory for dispenser software, attached, which will protect from all known โBlack Boxโ attack methods, including the issues identified in this report.
CVE IDs: | CVE-2020-10123 CVE-2020-9063 |
---|---|
Date Public: | 2020-08-20 Date First Published: |
home.treasury.gov/news/press-releases/sm0410
www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf
www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf
www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf
www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf
www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180611.aspx
www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_eo.pdf
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
69.4%