Embedded Files
Few recent vulnnerability of the year 2020
Few recent vulnnerability of the year 2020
1. NCR SelfServ ATM BNA contains multiple vulnerabilities.
Overview:
NCR SelfServ automated teller machines (ATMs) running APTRA XFS 04.02.01 and 05.01.00 are vulnerable to physical attacks on the communications bus between the host computer and the bunch note accepter (BNA).
Description:
NCR ATM SelfServ devices running APTRA XFS 04.02.01 and 05.01.00 contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM, specifically the BNA and the host computer.
CVE-2020-10124
NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer. A similar vulnerability is identified as CVE-2020-9062 in VU#221785. CVE-2020-9062 involves the cash and check deposit module (CCDM) in ATMs from a different vendor. The CCDM is functionally similar to the BNA.
CVE-2020-10125
NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate BNA software updates. Keys of this strength can be broken by an attacker in a sufficiently short period of time, thereby enabling the attacker to sign arbitrary files and CAB archives used to update BNA software, as well as bypass application whitelisting, resulting in the ability to execute arbitrary code. (CWE-326)
CVE-2020-10126
NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly validate software updates for the BNA. An attacker with physical access to internal ATM components can restart the host computer. During boot, the update process looks for CAB archives on removable media and executes a specific file without first validating the signature of the CAB archive. This allows an attacker to execute arbitrary code with SYSTEM privileges. (CWE-305)
Impact:
An attacker with physical access to the internal components of the ATM, including the BNA, can execute arbitrary code. An attacker may also be able to commit deposit forgery, with or without also executing arbitrary code.
A deposit forgery attack requires two separate transactions. The attacker must first deposit actual currency and manipulate the message from the BNA to the host computer to indicate a greater amount or value than was actually deposited. Then the attacker must make a withdrawal for an artificially increased amount or value of currency. This second transaction may need to occur at an ATM operated by a different financial institution (i.e., a not-on-us or OFF-US transaction).
Solution:
Apply an update
Update software to APTRA XFS 06.08. The update increases the strength of the RSA keys to limit the window of opportunity for an attacker to crack and misuse the keys (CVE-2020-10125). The update also provides protection against the bypass of the digital signature check (CVE-2020-10126).
2. NCR SelfServ ATM dispenser software contains multiple vulnerabilities.
Overview:
NCR SelfServ automated teller machines (ATMs) running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer.
Description:
NCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain vulnerabilities that can be exploited by an attacker with physical access to the internal components of the ATM.
CVE-2020-9063
USB HID communications between the currency dispenser and the host computer are not authenticated or integrity protected and can be manipulated to cause a buffer overflow on the host. An attacker with physical access to internal ATM components can inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer.
CVE-2020-10123
The currency dispenser component does not adequately authenticate session key generation requests from the host computer. An attacker with physical access to internal ATM components can generate a new session key that the attacker knows. This allows the attacker to issue valid commands to dispense currency. (CWE-305)
Impact:
An attacker with physical access to the internal components of the ATM can execute arbitrary code on the host computer or withdraw currency.
Solution:
Software, hardware, firmware, and configuration updates may be necessary, depending upon the current state of a specific vulnerable ATM.
Update software and hardware
APTRA XFS 05.01 stopped receiving support in 2015. Any customers still using unsupported software and hardware should upgrade at the earliest possible opportunity.
Update firmware
APTRA XFS Dispenser Security Update 01.00.00 contains the following firmware updates:
USBCurrencyDispenser 04.01.01, firmware 0x0167 (for S1 dispensers)
USBMediaDispenser 03.04.00, firmware 0x0118 (for S2 dispensers)
Update configuration
In addition to Dispenser Security Update 01.00.00, the Dispenser Protection Level and Dispenser Authentication Sequence parameters should be properly configured. The recommended configurations are:
Dispenser Protection Level: Level 3 (Physical Protection) for S1 and S2 dispensers
Dispenser Authentication Sequence: Sequence 2 or higher (for S1 dispensers), or Sequence 1 or higher (for S2 dispensers).
3. GRUB2 bootloader is vulnerable to buffer overflow.
Overview:
The GRUB2 boot loader is vulnerable to buffer overflow, which results in arbitrary code execution during the boot process, even when Secure Boot is enabled.
Description:
GRUB2 is a multiboot boot loader that replaced GRUB Legacy in 2012. A boot loader is the first program that runs upon boot and loads the operating system. Many vendors also use a shim, a signed software package that contains the vendor’s certificate and code that verifies and runs the boot loader. This means that firmware Certificate Authority providers can just sign the shim as opposed to all of the other supported programs.
GRUB2 is vulnerable to a buffer overflow when parsing content from the GRUB2 configuration file (grub.cfg). This configuration file is an external file commonly located in the EFI System Partition and can therefore be modified by an attacker with administrator privileges without altering the integrity of the signed vendor shim and GRUB2 boot loader executables. This could allow an authenticated, local attacker to modify the contents of the GRUB2 configuration file to ensure that the attacker's chosen code is run before the operating system is loaded. This could allow the attacker to gain persistence on the device, even with Secure Boot enabled. All versions of GRUB2 that load commands from an external grub.cfg configuration file are vulnerable.
Impact:
An authenticated, local attacker could modify the contents of the GRUB2 configuration file to execute arbitrary code that bypasses signature verification. This could allow the attacker to gain persistence on the device, even with Secure Boot enabled. Because the attacker's code runs before the operating system, the attacker could control how the operating system is loaded, directly patch the operating system, or even direct the bootloader to alternate OS images. All versions of GRUB2 that load commands from an external grub.cfg configuration file are vulnerable.
Solution:
Apply an update if operationally feasible
Update GRUB2 to the latest version to address this vulnerability when operationally feasible. Some patches were originally reported to leave systems unbootable so users are encouraged to review and test patches prior to implementing them. Linux distributions and other vendors using GRUB2 will need to update their installers, boot loaders, and shims. New shims will need to be signed by the Microsoft 3rd Party UEFI Certificate Authority. Administrators of affected devices will need to update installed versions of operating systems as well as installer images, including disaster recovery media. Until all affected versions are added to the dbx revocation list, an attacker would be able to use a vulnerable version of shim and GRUB2. Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.
4. Netgear httpd upgrade_check.cgi stack buffer overflow.
Overview:
Multiple Netgear devices contain a stack buffer overflow in the httpd web server's handling of upgrade_check.cgi, which may allow for unauthenticated remote code execution with root privileges.
Description:
Many Netgear devices contain an embedded web server, which is provided by the httpd process, to provide administrative capabilities. On multiple Netgear devices, this code fails to properly validate the header size provided to the upgrade_check.cgi handler. Despite copying the header to a fixed-size buffer on the stack, the vulnerable code copies an attacker-provided count of bytes from attacker-provided data. This allows for remote code execution by way of stack buffer overflow. This vulnerability is exacerbated by a number of issues:
The httpd process runs with root privileges.
Stack cookies, which can help prevent exploitation of stack buffer overflows, are not universally used in Netgear devices.
Authentication is not required to reach the vulnerable code.
The vulnerability occurs before Cross-Site Request Forgery (CSRF) token checking occurs.
Target device fingerprinting can occur by visiting the /currentsetting.htm page on an affected device.
Exploit code that targets 79 different Netgear devices is publicly available.
Impact:
By convincing a user to visit a malicious or compromised website, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable device with root privileges.
Solution:
Apply an update
Netgear has provided updates for several vulnerable devices. Note that Netgear does not indicate when devices have reached an end of life (EOL) state. This may be difficult to determine if a vulnerable device may receive an update in the future.
The CERT/CC has made a spreadsheet to more clearly indicate which devices have updates, and which devices may either be receiving an update in the future, or may possibly be unsupported.
As outlined in the blog post It's Time to Retire Your Unsupported Things, you should factor the vendor's support life span into purchasing decisions. Vendors that indicate how long products will be supported should be preferred over those that do not clearly indicate how long a device will be supported. Similarly, vendors that clearly indicate when a product has reached EOL state should be preferred over vendors that do not.
5. Treck IP stacks contain multiple vulnerabilities.
Overview:
Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them Ripple20.
Description:
Treck IP network stack software is designed for and used in a variety of embedded systems. The software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Treck IP software contains multiple vulnerabilities, most of which are caused by memory management bugs. For more details on the vulnerabilities introduced by these bugs, see Treck's Vulnerability Response Information and JSOF's Ripple20 advisory.
Historically-related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities.
These vulnerabilities likely affect industrial control systems and medical devices. Please see ICS-CERT Advisory ICSA-20-168-01 for more information.
Impact:
The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code.
Solution:
Apply updates
Update to the latest stable version of Treck IP stack software (6.0.1.67 or later). Please contact Treck at security@treck.com. Downstream users of embedded systems that incorporate Treck IP stacks should contact their embedded system vendor.
Block anomalous IP traffic
Consider blocking network attacks via deep packet inspection. In some cases, modern switches, routers, and firewalls will drop malformed packets with no additional configuration. It is recommended that such security features are not disabled. Below is a list of possible mitigations that can be applied as appropriate to your network environment.
Normalize or reject IP fragmented packets (IP Fragments) if not supported in your environment
Disable or block IP tunneling, both IPv6-in-IPv4 or IP-in-IP tunneling if not required
Block IP source routing and any IPv6 deprecated features like routing headers (see also VU#267289)
Enforce TCP inspection and reject malformed TCP packets
Block unused ICMP control messages such MTU Update and Address Mask updates
Normalize DNS through a secure recursive server or application layer firewall
Ensure that you are using reliable OSI layer 2 equipment (Ethernet)
Provide DHCP/DHCPv6 security with feature like DHCP snooping
Disable or block IPv6 multicast if not used in switching infrastructure
Page updated
Google Sites
Report abuse