ATM security devs rush out patch after boffins deliver knockout blow
Researchers had full control and were able to make unauthorised withdrawals
Updated A firm that supplies security software for cash machines has updated its technology after researchers uncovered a number of serious shortcomings.
Flaws in GMV's Checker ATM Security technology created a means for hackers to remotely run malicious code on a targeted ATM. The CVE-2017-6968 vulnerability opened the door to all manner of mischief – including but not limited to the possibility of stealing money from a compromised device, according to researchers at Positive Technologies.
Checker ATM Security protects cash points by enforcing a wide range of restrictions: whitelisting with Application Control to block unauthorised applications, restricting attempts to connect peripheral devices such as a keyboard or mouse, limiting network connections using a firewall, and more.
Positive Technologies was able to develop exploits that disable Checker ATM Security, allowing arbitrary code to then run on the ATM. The exploit relied on a combo punch: a man-in-the-middle to knock out crypto and buffer overflow to plant a knockout blow.
"To exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection," said Georgy Zaytsev, a researcher with Positive Technologies. "During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution.
"This can give an attacker full control over the ATM and allow a variety of manipulations, including unauthorised money withdrawal."
The developer confirmed the issue in Checker ATM Security versions 4.x and 5.x before providing a critical patch for the affected versions to all its customers worldwide, according to Positive Technologies. GMV is yet to respond to El Reg's request for comment on the matter.
Positive Technologies' experts have previously identified a number of other issues in ATM protection software, including a dangerous vulnerability in McAfee Solidcore last year. Exploitation of that zero-day vulnerability (CVE-2016-8009) could cause execution of arbitrary code with System privileges, escalation of user privileges from Guest to System, or a crash of the ATM operating system. ®
Update: A spokesperson for GMV contacted The Reg to comment: "This vulnerability has been detected by Positive Technologies in their laboratories and until today we haven’t received any report about an attack in ATMs taking advantage of this vulnerability.
"The possibility to exploit this bug is quite remote because: firstly, [it] requires access to the ATM network and if you have that kind of access it is easier to attack weaker objectives.
"Secondly, the attack is difficult to be systematically exploited in an ATM network. In order to exploit it, the attacker needs some memory address that are strongly dependent on Windows kernel version, while in Windows XP systems could be theoretically possible to take advantage of the vulnerability, in Windows 7 is almost impossible because those memory address are different in every windows installation." GMV added that after the vulnerability was reported to it by Positive Technologies, its researchers were able to reproduce the attack, confirm the affected versions and develop a patch.