Official forum for Utopia Community
You are not logged in.
Iagona's ScrutisWeb ATM fleet monitoring software has four security flaws that could be used to remotely access ATMs, upload arbitrary files, or even reboot the terminals.
Following a client engagement, the Synack Red Team (SRT) found the flaws.
Version 2.1 of ScrutisWeb has fixes for the problems.
38.
According to a last month's advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), "successful exploitation of these vulnerabilities could allow an attacker to upload and execute arbitrary files.".
With ScrutisWeb, you can remotely modify data, shut down or restart a terminal, and gather information about the status of the information system for banking and retail ATM fleets. It is a web browser-based solution.
The four issues are described in more detail as follows:.
A directory traversal flaw called CVE-2023-33871 (CVSS score: 7.5) could let an unauthorized user access any file located outside the webroot of the server.
An unauthenticated user may be able to upload and run a malicious payload thanks to CVE-2023-35189 (CVSS score: 10.0), a remote code execution vulnerability.
An unauthenticated user may be able to decrypt encrypted passwords into plaintext using the cryptographic flaw CVE-2023-35763 (CVSS score: 5.0).
An unauthenticated user may be able to view profile information, including user login names and encrypted passwords, thanks to CVE-2023-38257's insecure direct object reference vulnerability (CVSS score: 7.5).
The most serious flaw is CVE-2023-35189, which allows an unauthorized user to upload any file and then view it again in a web browser, leading to command injection.
An adversary could use CVE-2023-38257 and CVE-2023-35763 as tools in a hypothetical attack scenario to gain administrator access to the ScrutisWeb management console.
"From this point, a malicious actor could keep tabs on activities on particular ATMs in the fleet. The console also enables uploading files to ATMs, rebooting them, and turning them off entirely, according to Synack.
Additionally, CVE-2023-35189 could be used to delete ScrutisWeb log files in order to hide the attack's trail.
The researchers warned that a malicious actor could use this foothold in the client's infrastructure as a pivot point for attacks on the internet.
Offline
It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals. I hope a solution if find before the bad actor know about the weaknesses
Offline
It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals. I hope a solution if find before the bad actor know about the weaknesses
Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you
Offline
IyaJJJ;20351 wrote:It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals. I hope a solution if find before the bad actor know about the weaknesses
Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you
I believe the issue of the ATM that was posted on this topic does not exclude the Bitcoin ATM and the people saying there's a need for it have a point. However, if cryptocurrency want to be mainstream of payment it must welcome all kind of payment method.
Offline
Dozie;20462 wrote:IyaJJJ;20351 wrote:It is nice that there's a monitoring software on the ATM activities that detect the four security weaknesses which could be used by bad actor to remotely have access ATMs, upload arbitrary files, or even reboot the terminals. I hope a solution if find before the bad actor know about the weaknesses
Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you
I believe the issue of the ATM that was posted on this topic does not exclude the Bitcoin ATM and the people saying there's a need for it have a point. However, if cryptocurrency want to be mainstream of payment it must welcome all kind of payment method.
Moreover the Bitcoin can actually maintain it state of being a decentralized means of payment. And the only means to that can acceptible is the tokenization systems .
Offline
Vastextension;20589 wrote:Dozie;20462 wrote:Is Bitcoin ATM something you would love to try, the Bitcoin ATM has attracted mixed feelings to many, so think it's unnecessary while there are other that appreciate it, so which are you
I believe the issue of the ATM that was posted on this topic does not exclude the Bitcoin ATM and the people saying there's a need for it have a point. However, if cryptocurrency want to be mainstream of payment it must welcome all kind of payment method.
Moreover the Bitcoin can actually maintain it state of being a decentralized means of payment. And the only means to that can acceptible is the tokenization systems .
The fundamental mechanism that Bitcoin is built on is decentralization just like Crypton but Crypton coin have additional features which make me like it more than Bitcoin.
Offline
Unauthorized access to sensitive files and data outside the webroot of the server due to the directory traversal flaw (CVE-2023-33871).Remote code execution, allowing attackers to upload and run malicious payloads, potentially compromising the integrity of the system (CVE-2023-35189).
Offline
Decryption of encrypted passwords into plaintext, compromising user credentials and potentially leading to unauthorized access .Exposure of profile information, including user login names and encrypted passwords, due to insecure direct object reference vulnerability.
Offline
Unauthorized Access to Sensitive Files Disadvantage: Allows attackers to access files beyond the web server's intended boundaries, potentially exposing sensitive data and compromising system integrity.
Offline
Unauthorized Access to Sensitive Files Disadvantage: Allows attackers to access files beyond the web server's intended boundaries, potentially exposing sensitive data and compromising system integrity.
Malicious Payload Execution Disadvantage: Enables unauthenticated users to upload and execute arbitrary code, leading to potential system takeover and unauthorized access to sensitive information.
Offline
crpuusd;38217 wrote:Unauthorized Access to Sensitive Files Disadvantage: Allows attackers to access files beyond the web server's intended boundaries, potentially exposing sensitive data and compromising system integrity.
Malicious Payload Execution Disadvantage: Enables unauthenticated users to upload and execute arbitrary code, leading to potential system takeover and unauthorized access to sensitive information.
Password Exposure Disadvantage. Permits adversaries to decrypt encrypted passwords, exposing user credentials and compromising authentication mechanisms, leading to unauthorized access.
Offline