ATM manufacturers Diebold Nixdorf and NCR have eliminated a number of vulnerabilities in their products, which provided the ability to execute arbitrary code with or without SYSTEM-level rights, as well as carry out illegal cash withdrawals using special commands.
A similar vulnerability (CVE-2020-10124) was
Two more vulnerabilities (CVE-2020-10125 and CVE-2020-10126) relate to incorrect implementation of certificates for checking for BNA updates and incorrect checking for updates for BNA, which allowed code to be executed on a host with or without system privileges.
To exploit the vulnerabilities, an attacker needs physical access to the internal components of the ATM.
At the end of July, Diebold Nixdorf announced a new type of black box attacks on ATMs, in which attackers used a copy of the ATM’s firmware to interact with the device.
ORIGINAL PAGE –