NCR SelfServ automated teller machines (ATMs) running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer.
NCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM.
USB HID communications between the currency dispenser and the host computer are not authenticated or integrity protected and can be manipulated to cause a buffer overflow on the host. An attacker with physical access to internal ATM components can inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer.
The currency dispenser component does not adequately authenticate session key generation requests from the host computer. An attacker with physical access to internal ATM components can generate a new session key that the attacker knows. This allows the attacker to issue valid commands to dispense currency. (CWE-305)
An attacker with physical access to the internal components of the ATM can execute arbitrary code on the host computer or withdraw currency.
Software, hardware, firmware, and configuration updates may be necessary, depending upon the current state of a specific vulnerable ATM.
Update software and hardware
APTRA XFS 05.01 stopped receiving support in 2015. Any customers still using unsupported software and hardware should upgrade at the earliest possible opportunity.
APTRA XFS Dispenser Security Update 01.00.00 contains the following firmware updates:
- USBCurrencyDispenser 04.01.01, firmware 0x0167 (for S1 dispensers)
- USBMediaDispenser 03.04.00, firmware 0x0118 (for S2 dispensers)
In addition to Dispenser Security Update 01.00.00, the Dispenser Protection Level and Dispenser Authentication Sequence parameters should be properly configured. The recommended configurations are:
- Dispenser Protection Level: Level 3 (Physical Protection) for S1 and S2 dispensers
- Dispenser Authentication Sequence: Sequence 2 or higher (for S1 dispensers), or Sequence 1 or higher (for S2 dispensers)
See the NCR Secure Whitepaper for further information.
When implemented together, these mitigations address both CVE-2020-9063 and CVE-2020-10123.
These vulnerabilities were researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.
Coordinating with Embedi was supported by U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellon’s Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.
This document was written by Eric Hatleback and Laurie Tyzenhaus.