Diebold Nixdorf discovered a remote code execution vulnerability in older ATMs and is urging its customers in installing security updates it has released to address the flaw.
The vulnerability affects older Opteva model ATMs, Diebold Nixdorf will start notifying the customers next week.
The group of security researchers NightSt0rm published technical details about the vulnerability in a blog post on Medium. The experts explained that had access to an ATM of Diebold vendor and started analyzing the machine a simple PC running Windows OS and exposing some services implemented by the ATM provider. The focused their analysis on the Spiservice service listening on post 8043.
“Look at the output of command, there is a service (Spiservice) which running on port 8043. The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library (MSXFS.dll) that is specifically used by ATMs.” reads the post published by the experts. “The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.”
The ATM tested by the expert is running Aglis XFS for Opteva version 4.1.61.1. Attempting to connect to the service via a web browser, experts noticed it calls many libraries, including a library called VDMXFS.dll.
According to Diebold Nixdorf, this service only runs on Opteva version 4.x software, successive versions are not affected.
The application use RemotingConfiguration.Configure and accepts “server.config” as a parameter used to load config. Analyzing the file, the experts discovered that the program uses the .NET Remoting technique. This technique allows different applications to communicate with each other.
The researchers created two applications to remotely interact with the application and captured the network traffic, with this trick they found the application HTTP SOAP protocol used for the communication.
The ATM maker released Agilis XFS for Opteva – BulkCashRec (BCRM) version 4.1.22 that doesn’t expose the service’s configuration online.
The experts pointed out that this attack could be prevented by properly configuring the terminal-based firewall that is included in the older version of Opteve ATMs. the good news is that the firewall is enabled by default, this means that only ATM owners that disabled it are at risk.
The NightSt0rm team attempted to report the issue to Diebold Nixdorf but did not receive a reply.
At the time, there is not news of attacks in the wild that exploited this RCE flaw.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Diebold Nixdorf, ATM)
[adrotate banner=”5″]
[adrotate banner=”13″]
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
This website uses cookies.