Critical RCE affects older Diebold Nixdorf ATMs

Automated teller machine vendor Diebold Nixdorf has released security updates to address a remote code execution vulnerability in older ATMs.

Diebold Nixdorf discovered a remote code execution vulnerability in older ATMs and is urging its customers in installing security updates it has released to address the flaw.

The vulnerability affects older Opteva model ATMs, Diebold Nixdorf will start notifying the customers next week.

The group of security researchers NightSt0rm published technical details about the vulnerability in a blog post on Medium. The experts explained that had access to an ATM of Diebold vendor and started analyzing the machine a simple PC running Windows OS and exposing some services implemented by the ATM provider. The focused their analysis on the Spiservice service listening on post 8043.

“Look at the output of command, there is a service (Spiservice) which running on port 8043. The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library (MSXFS.dll) that is specifically used by ATMs.” reads the post published by the experts. “The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.”

The ATM tested by the expert is running Aglis XFS for Opteva version 4.1.61.1. Attempting to connect to the service via a web browser, experts noticed it calls many libraries, including a library called VDMXFS.dll.

According to Diebold Nixdorf, this service only runs on Opteva version 4.x software, successive versions are not affected.

The application use RemotingConfiguration.Configure and accepts “server.config” as a parameter used to load config. Analyzing the file, the experts discovered that the program uses the .NET Remoting technique. This technique allows different applications to communicate with each other. 

The researchers created two applications to remotely interact with the application and captured the network traffic, with this trick they found the application HTTP SOAP protocol used for the communication.

The ATM maker released Agilis XFS for Opteva – BulkCashRec (BCRM) version 4.1.22 that doesn’t expose the service’s configuration online.

The experts pointed out that this attack could be prevented by properly configuring the terminal-based firewall that is included in the older version of Opteve ATMs. the good news is that the firewall is enabled by default, this means that only ATM owners that disabled it are at risk.

The NightSt0rm team attempted to report the issue to Diebold Nixdorf but did not receive a reply.

At the time, there is not news of attacks in the wild that exploited this RCE flaw.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Diebold Nixdorf, ATM)

[adrotate banner=”5″]

[adrotate banner=”13″]