Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs.
ScrutisWeb software is developed by Lagona, it allows to remotely manage ATMs fleets. Operators can use the software to send and receive files to a device, modifying data, reboot a device or shut down a terminal.
The researchers discovered multiple vulnerabilities, including Absolute Path Traversal and Authorization Bypass Through User-Controlled Key issues, Hardcoded Cryptographic Key, and Unrestricted Upload of File with Dangerous Type.
Lagona addressed the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38.
The CVE-2023-33871 is an Absolute Path Traversal that an allow to download configurations, logs and databases from the server.
The CVE-2023-35189 is a Remote Code Execution that could be chained with the other issues to gain user access to the ATM controller.
The CVE-2023-38257 is an Insecure Direct Object Reference that can be exploited to retrieve information about all users on the system.ì, including administrators.
The CVE-2023-35763 is Hardcoded encryption key that can allow to retrieve Plaintext administrator credentials.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory for these vulnerabilities, the agency also provides the following recommendations:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ScrutisWeb ATM)