Lucene search

CertccCVE-2020-10123

HistoryAug 21, 2020 - 9:15 p.m.

CVE-2020-10123

2020-08-2121:15:11

CWE-305

CWE-287

certcc

web.nvd.nist.gov

ncr

selfsev

atms

currency dispenser

authentication

vulnerability

nvd

cve-2020-10123

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

45.5%

JSON

The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.

Affected configurations

Nvd

Node

ncraptra_xfsRange≤05.01.00

AND

ncrselfserv_atmMatch-

VendorProductVersionCPE
ncraptra_xfs*cpe:2.3:o:ncr:aptra_xfs:*:*:*:*:*:*:*:*
ncrselfserv_atm-cpe:2.3:h:ncr:selfserv_atm:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ncr	aptra_xfs	*	cpe:2.3:o:ncr:aptra_xfs::::::::
ncr	selfserv_atm	-	cpe:2.3:h:ncr:selfserv_atm:-:::::::*

CNA Affected

[
  {
    "product": "SelfServ ATM",
    "vendor": "NCR",
    "versions": [
      {
        "lessThanOrEqual": "05.01.00",
        "status": "affected",
        "version": "APTRA XFS",
        "versionType": "custom"
      }
    ]
  }
]

References

kb.cert.org/vuls/id/116713

www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf

www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf

www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf

www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

45.5%

JSON

Related for CVE-2020-10123