Critical RCE flaw in ATM security software found
Researchers from Positive Technologies have unearthed a critical vulnerability (CVE-2017-6968) in Checker ATM Security by Spanish corporate group GMV Innovating Solutions.
The software and the flaw
Checker ATM Security is a specialized security solution aimed at keeping ATMs safe from logical attacks. It does so by enforcing application whitelisting, full hard disk encryption, providing ACL-based control of process execution and resource access, enforcing security policies, restricting attempts to connect peripheral devices, and so on.
The found flaw can be exploited to remotely run code on a targeted ATM, increase the attacker’s privileges in the system, and compromise the machine completely.
“To exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection,” researcher Georgy Zaytsev explained.
“During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution. This can give an attacker full control over the ATM and allow a variety of manipulations, including unauthorized money withdrawal”.”
When informed of the vulnerability and provided with test exploits, GMV confirmed its existence and that it affects versions 4.x and 5.x of the software, and ultimately pushed out a patch, which users are urged to install as soon as possible.
Exploitation not detected in the wild
A company spokesperson has made sure to point out that there is no indication that the vulnerability has been exploited in attacks in the wild. Also, that exploitation is not that easy, as the attacker must first gain access to the ATM network and log into the target system.
“Secondly, the attack is difficult to be systematically exploited in an ATM network. In order to exploit it, the attacker needs some memory address that are strongly dependent on Windows kernel version, while in Windows XP systems could be theoretically possible to take advantage of the vulnerability, in Windows 7 is almost impossible because those memory address are different in every windows installation,” the spokesperson told The Register.
Like any software, security software is not immune to vulnerabilities and can open systems to exploitation. While antivirus and other security solutions for personal computers are often scrutinized and tested for flaws by third-party researchers, specialized security software has not, so far, received that amount of attention.
So, it’s good to hear that some researchers have decided to focus on them, and that vendors are positively responding to vulnerability disclosures.