Diebold Nixdorf, one of the world’s largest ATM vendors, will notify customers starting next week about ways to secure older Opteva-branded ATMs against a remote code execution (RCE) vulnerability that was publicly disclosed this week.
Details about this vulnerability have been published on Medium on Monday, June 4, by a group of Vietnamese security researchers named NightSt0rm.
OS service left open over HTTP
Researchers said they found an externally facing OS service on older Opteva ATM terminals that could be abused to plant reverse shells on exposed systems and take over devices.
“The potential exposure was a part of the Agilis XFS service using .Net remoting over an externally facing HTTP channel,” Diebold Nixdorf wrote in a security alert the company shared with ZDNet yesterday, and which they plan to send to customers on Monday, next week.
The company says this service only runs on Opteva version 4.x software. Recent versions are not affected.
The ATM maker has released Agilis XFS for Opteva – BulkCashRec (BCRM) version 4.1.22 that changes the service’s configuration from externally facing HTTP to interprocess communication. This software fix should prevent any remote attacker from being able to interact with the device via the internet or from a local network.
Firewall must be disabled
“In general, the attack can be mitigated by utilizing a properly configured, terminal-based firewall,” a Diebold Nixdorf spokesperson told ZDNet in an email. The older Opteva ATMs ship with such a firewall included.
The company said the researchers disabled this firewall during their tests, and Opteva ATMs should be normally safe against attacks using this vulnerability — unless ATM owners disabled the firewall on purpose.
However, the company is taking all the necessary steps to warn customers of the potential of any misconfigurations. Besides a software update, the ATM maker will also include five additional steps that customers can implement to safeguard devices against attacks.
Responsible disclosure snafu
NightSt0rm published details about this extremely dangerous RCE vulnerability this week after they contacted Diebold Nixdorf and got no reply.
However, the ATM vendor told ZDNet it all was a misunderstanding.
“Unfortunately, they initially reached out to us via the ‘Contact Us’ form on our web site, which receives hundreds of submissions monthly, with a very general claim about a security vulnerability in one of our ATMs,” a spokesperson told us.
“Their initial claims were not ignored. We have been in contact with them this week to learn more.”
All in all, unless a bank has been extremely unprofessional and sloppy in managing its ATM fleet, this vulnerability should be patched before any attacks are ever carried out.
“At this time, we have not received any reports that this attack has been exploited in the field in a real-world situation,” Diebold Nixdorf told ZDNet via email.
More vulnerability reports: