uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

ScrutisWeb Software's Multiple Flaws Allow Remote Hacking of ATMs

Iagona's ScrutisWeb ATM fleet monitoring software has four security flaws that could be used to remotely access ATMs, upload arbitrary files, or even reboot the terminals.

Following a client engagement, the Synack Red Team (SRT) found the flaws.
Version 2.1 of ScrutisWeb has fixes for the problems.
38.

According to a last month's advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), "successful exploitation of these vulnerabilities could allow an attacker to upload and execute arbitrary files.".

With ScrutisWeb, you can remotely modify data, shut down or restart a terminal, and gather information about the status of the information system for banking and retail ATM fleets. It is a web browser-based solution.

The four issues are described in more detail as follows:.

A directory traversal flaw called CVE-2023-33871 (CVSS score: 7.5) could let an unauthorized user access any file located outside the webroot of the server.
An unauthenticated user may be able to upload and run a malicious payload thanks to CVE-2023-35189 (CVSS score: 10.0), a remote code execution vulnerability.
An unauthenticated user may be able to decrypt encrypted passwords into plaintext using the cryptographic flaw CVE-2023-35763 (CVSS score: 5.0).
An unauthenticated user may be able to view profile information, including user login names and encrypted passwords, thanks to CVE-2023-38257's insecure direct object reference vulnerability (CVSS score: 7.5).
The most serious flaw is CVE-2023-35189, which allows an unauthorized user to upload any file and then view it again in a web browser, leading to command injection.

An adversary could use CVE-2023-38257 and CVE-2023-35763 as tools in a hypothetical attack scenario to gain administrator access to the ScrutisWeb management console.

"From this point, a malicious actor could keep tabs on activities on particular ATMs in the fleet. The console also enables uploading files to ATMs, rebooting them, and turning them off entirely, according to Synack.

Additionally, CVE-2023-35189 could be used to delete ScrutisWeb log files in order to hide the attack's trail.

The researchers warned that a malicious actor could use this foothold in the client's infrastructure as a pivot point for attacks on the internet.

IyaJJJ

Member

Registered: 2023-01-25

Posts: 1,576

Re: ScrutisWeb Software's Multiple Flaws Allow Remote Hacking of ATMs

It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals.  I hope a solution if find before the bad actor know about the weaknesses

Dozie

Member

Registered: 2023-01-18

Posts: 658

Re: ScrutisWeb Software's Multiple Flaws Allow Remote Hacking of ATMs

It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals.  I hope a solution if find before the bad actor know about the weaknesses

Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you

Vastextension

Member

Registered: 2022-11-19

Posts: 1,970

Re: ScrutisWeb Software's Multiple Flaws Allow Remote Hacking of ATMs

It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals.  I hope a solution if find before the bad actor know about the weaknesses

Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you

I believe the issue of the ATM that was posted on this topic does not exclude the Bitcoin ATM and the people saying there's a need for it have a point. However, if cryptocurrency want to be mainstream of payment it must welcome all kind of payment method.

gap

Member

Registered: 2023-06-14

Posts: 1,175

Re: ScrutisWeb Software's Multiple Flaws Allow Remote Hacking of ATMs

It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals.  I hope a solution if find before the bad actor know about the weaknesses

Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you

I believe the issue of the ATM that was posted on this topic does not exclude the Bitcoin ATM and the people saying there's a need for it have a point. However, if cryptocurrency want to be mainstream of payment it must welcome all kind of payment method.

Moreover the Bitcoin can actually maintain it state of being a decentralized means of payment. And the only means to that can acceptible is the tokenization systems .

Vastextension

Member

Registered: 2022-11-19

Posts: 1,970

Re: ScrutisWeb Software's Multiple Flaws Allow Remote Hacking of ATMs

Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you

I believe the issue of the ATM that was posted on this topic does not exclude the Bitcoin ATM and the people saying there's a need for it have a point. However, if cryptocurrency want to be mainstream of payment it must welcome all kind of payment method.

Moreover the Bitcoin can actually maintain it state of being a decentralized means of payment. And the only means to that can acceptible is the tokenization systems .

The fundamental mechanism that Bitcoin is built on is decentralization just like Crypton but Crypton coin have additional features which make me like it more than Bitcoin.