CVE-2020-10123

Exploit

EPSS 0.1%
Published 21.08.2020 21:15:11
Last modified 21.11.2024 04:54:52
Source cret@cert.org
Teams watchlist Login
Open Login

The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.

Affected products Warnungen 0 Metrics 3 CWE 2 References 8

Data is provided by the National Vulnerability Database (NVD)

Ncr ≫ Aptra Xfs Version <= 05.01.00

Ncr ≫ Selfserv Atm Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.29

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	0.9	4	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:N/I:P/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

https://kb.cert.org/vuls/id/116713

Third Party Advisory

US Government Resource

https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf

Vendor Advisory

Exploit

https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf

Vendor Advisory

https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf

Vendor Advisory

https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf

Vendor Advisory