CVE-2020-10126

EPSS 0.02%
Published 21.08.2020 21:15:11
Last modified 21.11.2024 04:54:52
Source cret@cert.org
Teams watchlist Login
Open Login

NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly validate softare updates for the bunch note acceptor (BNA), enabling an attacker with physical access to internal ATM components to restart the host computer and execute arbitrary code with SYSTEM privileges because while booting, the update process looks for CAB archives on removable media and executes a specific file without first validating the signature of the CAB archive.

Affected products Warnungen 0 Metrics 3 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Ncr ≫ Aptra Xfs Version05.01.00

Ncr ≫ Selfserv Atm Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.028

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.6	0.9	6	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://kb.cert.org/vuls/id/815655

Third Party Advisory

US Government Resource

https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2020-10126

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-10126

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-10126

EUVD