Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title NCR SelfServ ATM dispenser software contains multiple vulnerabilities
Name VU#116713 First vendor Publication 2020-08-20
Vendor VU-CERT Last vendor Modification 2020-08-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Overall CVSS Score 7.6
Base Score 7.6 Environmental Score 7.6
impact SubScore 6 Temporal Score 7.6
Exploitabality Sub Score 0.9
Attack Vector Physical Attack Complexity Low
Privileges Required None User Interaction None
Scope Changed Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores



NCR SelfServ automated teller machines (ATMs) running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer.


NCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM.


USB HID communications between the currency dispenser and the host computer are not authenticated or integrity protected and can be manipulated to cause a buffer overflow on the host. An attacker with physical access to internal ATM components can inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer.


The currency dispenser component does not adequately authenticate session key generation requests from the host computer. An attacker with physical access to internal ATM components can generate a new session key that the attacker knows. This allows the attacker to issue valid commands to dispense currency. (CWE-305)


An attacker with physical access to the internal components of the ATM can execute arbitrary code on the host computer or withdraw currency.


Software, hardware, firmware, and configuration updates may be necessary, depending upon the current state of a specific vulnerable ATM.

Update software and hardware

APTRA XFS 05.01 stopped receiving support in 2015. Any customers still using unsupported software and hardware should upgrade at the earliest possible opportunity.

Update firmware

APTRA XFS Dispenser Security Update 01.00.00 contains the following firmware updates:

  1. USBCurrencyDispenser 04.01.01, firmware 0x0167 (for S1 dispensers)
  2. USBMediaDispenser 03.04.00, firmware 0x0118 (for S2 dispensers)

Update configuration

In addition to Dispenser Security Update 01.00.00, the Dispenser Protection Level and Dispenser Authentication Sequence parameters should be properly configured. The recommended configurations are:

  1. Dispenser Protection Level: Level 3 (Physical Protection) for S1 and S2 dispensers
  2. Dispenser Authentication Sequence: Sequence 2 or higher (for S1 dispensers), or Sequence 1 or higher (for S2 dispensers)

See the NCR Secure Whitepaper for further information.

When implemented together, these mitigations address both CVE-2020-9063 and CVE-2020-10123.


These vulnerabilities were researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.

Coordinating with Embedi was supported by U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellon?s Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.

This document was written by Eric Hatleback and Laurie Tyzenhaus.

Original Source

Url : https://kb.cert.org/vuls/id/116713

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-287 Improper Authentication
50 % CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Os 2

Alert History

If you want to see full details history, please login or register.
Date Informations
2020-09-02 21:29:04
  • Multiple Updates
2020-09-02 17:29:06
  • Multiple Updates
2020-09-02 17:17:38
  • First insertion