Vulnerability allows code execution in ATMs to get free money withdrawals

Website security services specialists report that Diebold Nixdorf, one of the world’s leading ATM manufacturers, will begin an awareness campaign for its customers aiming to implement protections for older Opteva ATM models, as they are exposed to a critical remote code execution vulnerability, disclosed in recent days.

Experts, who are part of a research team self-called NightStorm, reported the finding of an external operating system service at the old Opteva ATM terminals that a malicious user could exploit to inject inverse shells on vulnerable systems and take control of the devices.

“This potential risk is due to a part of the Agile XFS Service using .Net over an external HTTP channel”, the website security services experts mentioned in the security alert sent to the company. On the other hand, Opteva mentions that his clients will be receiving this alert in the next few hours. Also, Diebold Nixdorf claims that this service is only found in version 4.x of the Opteva software, so newer versions are not impacted.

The ATM manufacturer company launched Agilis XFS for Opteva version 4.1.22, which changed the configuration of the external HTTP service to inter-process communication. This setting should prevent a remote threat player from interacting with the compromised device via the Internet or from a local network.

According to experts in website security services, a properly configured terminal-based firewall should be enough to mitigate the attack risks, the company even notes that older Opteva ATMs are shipped to the customer with a firewall solution enabled.

Diebold Nixdorf highlighted that the experts disabled the firewall for their tests, so Opteva ATMs should be protected from exploiting the vulnerability, unless the ATM operators disable the firewall intentionally.

The specialists from the International Institute of Cyber Security (IICS) mention that the company is taking some measures for the protection of its customers, telling them that, in addition to software updates, the company will launch a practical guide for protection against remote execution vulnerability.