Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software

Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack. 

Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs. 

ScrutisWeb software is developed by Lagona, it allows to remotely manage ATMs fleets. Operators can use the software to send and receive files to a device, modifying data, reboot a device or shut down a terminal.

The researchers discovered multiple vulnerabilities, including Absolute Path Traversal and Authorization Bypass Through User-Controlled Key issues, Hardcoded Cryptographic Key, and Unrestricted Upload of File with Dangerous Type.

Lagona addressed the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38. 

The CVE-2023-33871 is an Absolute Path Traversal that an allow to download configurations, logs and databases from the server.

The CVE-2023-35189 is a Remote Code Execution that could be chained with the other issues to gain user access to the ATM controller.

The CVE-2023-38257 is an Insecure Direct Object Reference that can be exploited to retrieve information about all users on the system.ì, including administrators.

The CVE-2023-35763 is Hardcoded encryption key that can allow to retrieve Plaintext administrator credentials.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory for these vulnerabilities, the agency also provides the following recommendations:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolate them from business networks.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ScrutisWeb ATM)

The post Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software appeared first on Security Affairs.