ScrutisWeb Software’s Numerous Weaknesses Allow Remote Hacking of ATMs
Iagona’s ScrutisWeb ATM fleet tracking program contains four security flaws that might be used to remotely access ATMs, upload unauthorized files, or even reset the terminals.
Following customer engagement, the Synack Red Team (SRT) identified the flaws. Version 2.1.38 of ScrutisWeb has the problems fixed.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in an alert released last month that “successful penetration of these flaws might enable an intruder to upload and launch unauthorized files.”
A web browser-based tool called ScrutisWeb can be used to remotely edit data, shut down or reboot a terminal, and get updates on the condition of information systems for banking and retail ATM fleets.
The 4 weaknesses are described thoroughly as follows:
- CVE-2023-33871 (CVSS score: 7.5): An unauthenticated user might be able to directly access any file located outside the webroot of the server due to a directory traversal vulnerability.
- CVE-2023-35189 (CVSS score: 10.0): A code execution remotely flaw that might let an unauthorized user upload and run a malicious payload.
- CVE-2023-35763 (CVSS score: 5.5): An unauthorized user could be able to decode encrypted passwords into plaintext thanks to a cryptographic flaw.
- CVE-2023-38257 (CVSS score: 7.5): An unauthenticated user may be able to read personal data, like user login names and encrypted passwords, due to an unsecured direct object reference vulnerability.
One of the issues, CVE-2023-35189, is the most serious since it allows an unauthorized user to upload any kind of file and then read it again in a web browser, leading to command injection.
An attacker might use CVE-2023-38257 and CVE-2023-35763 as weapons to gain administrator access to the ScrutisWeb administration console.
“From this point, a hostile actor might keep tabs on activities on specific ATMs in the fleet. According to Synack, the console also enables users to reboot, upload files to, and turn off ATMs altogether in addition to dropping them into management mode.
Additionally, CVE-2023-35189 could be exploited to remove ScrutisWeb log files in order to hide the attack’s trail.
The researchers warned in an official statement that “A malicious actor may use this foothold in the client’s architecture as a pivot point for attacks on the internet.”
About The Author:
Yogesh Naager is a content marketer that specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More Article Here