Lucene search

CertccCVE-2020-9063

HistoryAug 21, 2020 - 9:15 p.m.

CVE-2020-9063

2020-08-2121:15:12

CWE-120

certcc

web.nvd.nist.gov

ncr

selfserv

atm

aptra

xfs

security

vulnerability

usb

hid

buffer overflow

arbitrary code execution

nvd

cve-2020-9063

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.003

Percentile

69.4%

JSON

NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not authenticate or protect the integrity of USB HID communications between the currency dispenser and the host computer, permitting an attacker with physical access to internal ATM components the ability to inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer by causing a buffer overflow on the host.

Affected configurations

Nvd

Node

ncrselfserv_atmMatch-

AND

ncraptra_xfsRange≤05.01.00

VendorProductVersionCPE
ncrselfserv_atm-cpe:2.3:h:ncr:selfserv_atm:-:*:*:*:*:*:*:*
ncraptra_xfs*cpe:2.3:o:ncr:aptra_xfs:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ncr	selfserv_atm	-	cpe:2.3:h:ncr:selfserv_atm:-:::::::*
ncr	aptra_xfs	*	cpe:2.3:o:ncr:aptra_xfs::::::::

CNA Affected

[
  {
    "product": "SelfServ ATM",
    "vendor": "NCR",
    "versions": [
      {
        "lessThanOrEqual": "05.01.00",
        "status": "affected",
        "version": "APTRA XFS",
        "versionType": "custom"
      }
    ]
  }
]

References

kb.cert.org/vuls/id/116713

www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf

www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf

www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf

www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.003

Percentile

69.4%

JSON

Related for CVE-2020-9063