CVE-2020-9063: Buffer Overflow
First published: Fri Aug 21 2020(Updated: )
NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not authenticate or protect the integrity of USB HID communications between the currency dispenser and the host computer, permitting an attacker with physical access to internal ATM components the ability to inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer by causing a buffer overflow on the host.
Credit: cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| XFS ACL | <=05.01.00 | |
| NCR SelfServ ATM |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kb.cert.org/vuls/id/116713
- https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf
- https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf
- https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf
- https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf
Frequently Asked Questions
What is the severity of CVE-2020-9063?
CVE-2020-9063 is classified as a critical severity vulnerability due to the potential for unauthorized access and malicious payload injection.
How do I fix CVE-2020-9063?
To remediate CVE-2020-9063, upgrade NCR SelfServ ATMs running APTRA XFS to version 05.01.01 or later, which includes security improvements.
Who is affected by CVE-2020-9063?
CVE-2020-9063 affects NCR SelfServ ATMs that are running APTRA XFS versions 05.01.00 or earlier.
What type of attack does CVE-2020-9063 enable?
CVE-2020-9063 enables an attacker with physical access to inject malicious payloads into the ATM by exploiting vulnerabilities in USB HID communications.
What can attackers do with CVE-2020-9063?
Attackers exploiting CVE-2020-9063 can manipulate currency dispensing functions and potentially execute arbitrary code on the ATM system.
- agent/type
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ncr
- canonical/xfs acl
- version/xfs acl/05.01.00
- canonical/ncr selfserv atm