search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NCR SelfServ ATM dispenser software contains multiple vulnerabilities

Vulnerability Note VU#116713

Original Release Date: 2020-08-20 | Last Revised: 2020-08-20

Overview

NCR SelfServ automated teller machines (ATMs) running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer.

Description

NCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM.

CVE-2020-9063

USB HID communications between the currency dispenser and the host computer are not authenticated or integrity protected and can be manipulated to cause a buffer overflow on the host. An attacker with physical access to internal ATM components can inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer.

CVE-2020-10123

The currency dispenser component does not adequately authenticate session key generation requests from the host computer. An attacker with physical access to internal ATM components can generate a new session key that the attacker knows. This allows the attacker to issue valid commands to dispense currency. (CWE-305)

Impact

An attacker with physical access to the internal components of the ATM can execute arbitrary code on the host computer or withdraw currency.

Solution

Software, hardware, firmware, and configuration updates may be necessary, depending upon the current state of a specific vulnerable ATM.

Update software and hardware

APTRA XFS 05.01 stopped receiving support in 2015. Any customers still using unsupported software and hardware should upgrade at the earliest possible opportunity.

Update firmware

APTRA XFS Dispenser Security Update 01.00.00 contains the following firmware updates:

  1. USBCurrencyDispenser 04.01.01, firmware 0x0167 (for S1 dispensers)
  2. USBMediaDispenser 03.04.00, firmware 0x0118 (for S2 dispensers)

Update configuration

In addition to Dispenser Security Update 01.00.00, the Dispenser Protection Level and Dispenser Authentication Sequence parameters should be properly configured. The recommended configurations are:

  1. Dispenser Protection Level: Level 3 (Physical Protection) for S1 and S2 dispensers
  2. Dispenser Authentication Sequence: Sequence 2 or higher (for S1 dispensers), or Sequence 1 or higher (for S2 dispensers)

See the NCR Secure Whitepaper for further information.

When implemented together, these mitigations address both CVE-2020-9063 and CVE-2020-10123.

Acknowledgements

These vulnerabilities were researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.

Coordinating with Embedi was supported by U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellon’s Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.

This document was written by Eric Hatleback and Laurie Tyzenhaus.

Vendor Information

116713
 

NCR Corporation Affected

Notified:  2020-08-12 Updated: 2020-08-20

CVE-2020-10123 Affected
CVE-2020-9063 Affected

Vendor Statement

The security of NCR’s cash dispenser module is critically important, and NCR continuously upgrades and improves the resistance of these modules to attack, including the class of attack known as ‘black box’ where the attacker has access to the communications cable to the dispenser. NCR advises all customers that it is critically important that APTRA XFS software is kept up to date to ensure that the latest security patches are always installed. We note that the version of software referenced in this report, APTRA XFS 05.01 was released in 2010, and discontinued for support in 2015. Any customer still using unsupported software should upgrade at the earliest possible opportunity. For advice on upgrade versions, NCR would direct our customers to the latest advisory for dispenser software, attached, which will protect from all known ‘Black Box’ attack methods, including the issues identified in this report.

References


Other Information

CVE IDs: CVE-2020-10123 CVE-2020-9063
Date Public: 2020-08-20
Date First Published: 2020-08-20
Date Last Updated: 2020-08-20 14:21 UTC
Document Revision: 1

Sponsored by CISA.