ATM security devs rush out patch after boffins deliver knockout blow

A firm that supplies security software for cash machines has updated its technology after researchers uncovered a number of serious shortcomings.

Flaws in GMV’s Checker ATM Security technology created a means for hackers to remotely run malicious code on a targeted ATM. The CVE-2017-6968 vulnerability opened the door to all manner of mischief – including but not limited to the possibility of stealing money from a compromised device, according to researchers at Positive Technologies.

Checker ATM Security protects cash points by enforcing a wide range of restrictions: whitelisting with Application Control to block unauthorised applications, restricting attempts to connect peripheral devices such as a keyboard or mouse, limiting network connections using a firewall, and more.

Positive Technologies was able to develop exploits that disable Checker ATM Security, allowing arbitrary code to then run on the ATM. The exploit relied on a combo punch: a man-in-the-middle to knock out crypto and buffer overflow to plant a knockout blow.

“To exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection,” said Georgy Zaytsev, a researcher with Positive Technologies. “During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution.

“This can give an attacker full control over the ATM and allow a variety of manipulations, including unauthorised money withdrawal.”

The developer confirmed the issue in Checker ATM Security versions 4.x and 5.x before providing a critical patch for the affected versions to all its customers worldwide, according to Positive Technologies. GMV is yet to respond to El Reg‘s request for comment on the matter.

Positive Technologies’ experts have previously identified a number of other issues in ATM protection software, including a dangerous vulnerability in McAfee Solidcore last year. Exploitation of that zero-day vulnerability (CVE-2016-8009) could cause execution of arbitrary code with System privileges, escalation of user privileges from Guest to System, or a crash of the ATM operating system. ®

Source: The Register – Security @ May 3, 2017 at 10:00AM