CVE-2020-10123

Опубликовано: 21 авг. 2020

Источник: nvd

CVSS3: 5.3

CVSS2: 2.1

EPSS Низкий

Описание

The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.

Ссылки

https://kb.cert.org/vuls/id/116713
Third Party Advisory
US Government Resource
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf
Exploit
Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf
Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf
Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf
Vendor Advisory
https://kb.cert.org/vuls/id/116713
Third Party Advisory
US Government Resource
https://www.kb.cert.org/vuls/id/116713
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf
Exploit
Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf
Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf
Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:ncr:aptra_xfs:*:*:*:*:*:*:*:*

Версия до 05.01.00 (включая)

cpe:2.3:h:ncr:selfserv_atm:-:*:*:*:*:*:*:*

EPSS

Процентиль: 29%

0.00104

Низкий

5.3 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-305

CWE-287

Связанные уязвимости

GHSA-9fqf-7qjx-9m2h