Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Diebold Nixdorf ProCash 2100xe USB ATM does not adequately secure communications between CCDM and host
Informations
Name VU#221785 First vendor Publication 2020-08-24
Vendor VU-CERT Last vendor Modification 2020-08-24
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Overall CVSS Score 7.1
Base Score 7.1 Environmental Score 7.1
impact SubScore 6 Temporal Score 7.1
Exploitabality Sub Score 0.5
 
Attack Vector Physical Attack Complexity High
Privileges Required None User Interaction None
Scope Changed Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 4.4 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

Diebold Nixdorf 2100xe USB automated teller machines (ATMs) are vulnerable to physical attacks on the communication channel between the cash and check deposit module (CCDM) and the host computer. An attacker with physical access to internal ATM components may be able to exploit this vulnerability to commit deposit forgery.

Description

Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer. An attacker with physical access to internal ATM components can intercept and modify messages, such as the amount and value of currency being deposited, and send modified messages to the host computer.

A similar vulnerability identified as CVE-2020-10124 is decribed in VU#815655. CVE-2020-10124 affects the bunch note acceptor (BNA) in ATMs supplied by a different vendor. The BNA is functionally similar to the CCDM.

Impact

By modifying deposit transaction messages, an attacker may be able to commit deposit forgery. Such an attack requires two separate transactions. The attacker must first deposit actual currency and modify messages from the CCDM to the host computer to indicate a greater amount or value than was actually deposited. Then the attacker must make a withdrawal for an artificially increased amount or value of currency. This second transaction may need to occur at an ATM operated by a different financial institution (i.e., a not-on-us or OFF-US transaction).

Solution

Obtain advice from vendor

Diebold Nixdorf released a document titled "Potential CCDM Deposit Forgery" on February 27, 2020 that details the recommended procedures for addressing this vulnerability. Contact the vendor to obtain the document.

Apply an update

The vendor has released an update to secure communications between the CCDM and the host computer. Contact the vendor regarding this software update.

Consider additional countermeasures

In addition to applying a software update, the vendor recommends limiting physical access to the ATM (including internal components), adjusting deposit transaction business logic, and implementing fraud monitoring. For details about these additional recommended countermeasures, contact the vendor.

Acknowledgements

This vulnerability was researched and reported by Maxim Kozorez. At the time of the initial report, Maxim Kozorez was associated with Embedi.

Coordinating with Embedi was supported by U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) License No. CYBER2-2019-359003-1, Cyber-Related Sanctions Regulations License issued April 2, 2019 to Licensees: CERT Coordination Center at Carnegie Mellon?s Software Engineering Institute (CERT), U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the National Cybersecurity and Communications Integration Center.

This document was written by Eric Hatleback and Laurie Tyzenhaus.

Original Source

Url : https://kb.cert.org/vuls/id/221785

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-311 Missing Encryption of Sensitive Data (CWE/SANS Top 25)
50 % CWE-306 Missing Authentication for Critical Function (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2020-09-02 21:29:04
  • Multiple Updates
2020-09-02 17:29:06
  • Multiple Updates
2020-09-02 17:17:37
  • First insertion