Go to listing page

Researchers find RCE bug in older Diebold Nixdorf ATMs

Researchers find RCE bug in older Diebold Nixdorf ATMs
  • A publicly exposed OS service in Diebold Nixdorf’s Opteva ATM series could be compromised with reverse shells.
  • The company is notifying customers about this vulnerability and has released software patches to fix this flaw.

ATM manufacturer Diebold Nixdorf is notifying customers about a remote code execution (RCE) vulnerability present in its older Opteva ATM models’ software.

The vulnerability was spotted by a team of security researchers known as NightSt0rm. In a blog on Medium, the team described an OS service in these ATMs that could be remotely exploited with reverse shells to deploy malicious payloads.

The big picture

  • The researchers found a publicly exposed OS service called ‘Spiservice’ in older Opteva ATMs. This service was linked to a DLL library known as ‘MSXFS.dll’ which is specifically used in ATMs.
  • They tested an ATM running Agilis XFS (Diebold XFS service) for Opteva version 4.1.61.1. When connected through a web browser, Agilis XFS called many libraries including one known as ‘VDMXFS.dll’.
  • A remote configuration parameter is displayed as a result. This could be exploited to deploy reverse-shell payloads to have complete control over the vulnerable Opteva ATMs.

In their blog, the researchers also provide successful exploit methods.

What actions have been taken?

After learning of this RCE vulnerability, Diebold Nixdorf is in the process of notifying all customers using older Opteva ATMs of the issue. In addition, its advising operators to update to the latest version(4.1.22) of the ATM software, as suggesting countermeasures.

“While all Opteva systems come equipped with a terminal-based firewall installed, from the information we have, the terminal based firewall of the system was most likely not active during the evaluation. We have not received any reports of this potential exposure being exploited outside of a test environment,” read a security alert released by Diebold Nixdorf, shared with ZDNet.

Cyware Publisher

Publisher

Cyware