CVE-2020-10124 - OpenCVE

NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery.

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ncr	Aptra Xfs Selfserv Atm

Configuration 1 [-]

AND

cpe:2.3:o:ncr:aptra_xfs:05.01.00:*:*:*:*:*:*:*

cpe:2.3:h:ncr:selfserv_atm:-:*:*:*:*:*:*:*

References

Link	Resource
https://kb.cert.org/vuls/id/815655	Third Party Advisory US Government Resource
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2020-08-20T00:00:00

Updated: 2020-08-21T20:30:39

Reserved: 2020-03-05T00:00:00

Link: CVE-2020-10124

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-08-21T21:15:11.433

Modified: 2021-12-20T22:32:07.267

Link: CVE-2020-10124

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "SelfServ ATM", "vendor": "NCR", "versions": [{"status": "affected", "version": "APTRA XFS 05.01.00"}]}], "datePublic": "2020-08-20T00:00:00", "descriptions": [{"lang": "en", "value": "NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-353", "description": "CWE-353 Missing Support for Integrity Check", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-21T20:30:39", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://kb.cert.org/vuls/id/815655"}, {"tags": ["x_refsource_MISC"], "url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2020-08-20T16:34:00.000Z", "ID": "CVE-2020-10124", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SelfServ ATM", "version": {"version_data": [{"version_affected": "=", "version_name": "APTRA XFS ", "version_value": "05.01.00"}]}}]}, "vendor_name": "NCR"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-353 Missing Support for Integrity Check"}]}, {"description": [{"lang": "eng", "value": "CWE-306 Missing Authentication for Critical Function"}]}, {"description": [{"lang": "eng", "value": "CWE-311 Missing Encryption of Sensitive Data"}]}]}, "references": {"reference_data": [{"name": "https://kb.cert.org/vuls/id/815655", "refsource": "MISC", "url": "https://kb.cert.org/vuls/id/815655"}, {"name": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_", "refsource": "MISC", "url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2020-10124", "datePublished": "2020-08-20T00:00:00", "dateReserved": "2020-03-05T00:00:00", "dateUpdated": "2020-08-21T20:30:39", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ncr:aptra_xfs:05.01.00:*:*:*:*:*:*:*", "matchCriteriaId": "488456FE-C4C8-43D6-B6A2-5BFC3EC076EC", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ncr:selfserv_atm:-:*:*:*:*:*:*:*", "matchCriteriaId": "B95CF58A-28C7-4C1E-8B83-7BF0D515FF34", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery."}, {"lang": "es", "value": "Los Cajeros Autom\u00e1ticos NCR SelfServ que ejecutan APTRA XFS versiones 05.01.00 no cifran, ni autentican, ni verifican la integridad de los mensajes entre el BNA y el computador host, lo que podr\u00eda permitir a un atacante con acceso f\u00edsico a los componentes internos del Cajero Autom\u00e1tico ejecutar c\u00f3digo arbitrario, incluyendo c\u00f3digo que permite al atacante cometer falsificaciones de dep\u00f3sitos."}], "id": "CVE-2020-10124", "lastModified": "2021-12-20T22:32:07.267", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-21T21:15:11.433", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://kb.cert.org/vuls/id/815655"}, {"source": "cret@cert.org", "tags": ["Broken Link"], "url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-311"}, {"lang": "en", "value": "CWE-353"}], "source": "cret@cert.org", "type": "Secondary"}]}