Positive Technologies discovers vulnerability in ATM security software

Users of Checker ATM Security urged to install vendor-issued security patch.

Positive Technologies has discovered a serious vulnerability in GMV’s Checker ATM Security. The defect allows an attacker to remotely run code on a targeted ATM to increase his privileges in the system, infect it and steal money.

Checker ATM Security protects ATMs by enforcing a wide range of restrictions in software: whitelisting with Application Control to block unauthorized applications, restricting attempts to connect peripheral devices – such as a keyboard or mouse, limiting network connections with a firewall, and more.

“To exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection. During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution,” explained Positive Technologies researcher, Georgy Zaytsev. “This can give an attacker full control over the ATM and allow a variety of manipulations, including unauthorized money withdrawal”.

Zaytsev developed test exploits that disable Checker ATM Security, and allow arbitrary code to then run on the ATM.

The developer has confirmed this issue in Checker ATM Security versions 4.x and 5.x and has already provided a patch for the affected versions to all its customers worldwide, which are advised to install it immediately.

Positive Technologies’ experts have previously identified a number of issues in ATM protection software, including a dangerous vulnerability in McAfee Solidcore in 2016. Exploitation of that zero-day vulnerability (CVE-2016-8009) could cause execution of arbitrary code with SYSTEM privileges, escalation of user privileges from Guest to SYSTEM, or a crash of the ATM operating system.