Positive Technologies application analysis specialist Maxim Kozhevnikov discovered a dangerous 0-day vulnerability in the security system for Solidcore ATMs, which is part of the McAfee Application Control (MAC) product. The bug allows an attacker to execute arbitrary code and escalate privileges on the system.
The zero-day vulnerability CVE-2016-8009 was found during work analyzing the security of ATMs at one of the large banks. Solidcore is used in many Windows ATMs to identify and block malicious files using whitelists, as well as control the privileges of running processes. Solidcore was originally a product of Solidcore Systems, but in 2009 it was bought by MacAfee, which in turn was bought by Intel. Solidcore is currently part of the McAfee Application Control (MAC) product, although many in the market still use the old name.
A vulnerability discovered by a Positive Technologies expert allows an unauthorized user to use the IOCTL handler of one of the drivers to damage the memory of the Windows OS kernel. Exploitation of the vulnerability can lead to arbitrary code execution with SYSTEM rights, elevation of user privileges from Guest to SYSTEM, or OS crash.
During the research, this vulnerability made it possible to manage Solidcore components on demand and perform actions with SYSTEM rights - in particular, disable Solidcore interaction with the ePolicy Orchestrator management server, disable the Solidcore management console lock, disable password protection, and inject code into any system processes. Having access to a vulnerable driver, an attacker can use it to add malware to Solidcore whitelists without having to completely disable protection and communication with the control server, thereby avoiding suspicion and log entries.
Knowing about such a vulnerability, hackers can successfully attack a bank of interest using specially prepared malware. And similar attacks have already taken place. In particular, in 2014, a Trojan for ATMs, Tyupkin, was discovered, which differs precisely in that it can disable Solidcore in order to hide its malicious activity. Thanks to this Trojan, criminals were able to steal hundreds of thousands of dollars from ATMs in Eastern Europe without attracting attention.
Intel Security has released a patch for the discovered bug. According to Positive Technologies experts, the risk of the driver being used by attackers can be reduced if developers provide a user authorization mechanism for accessing driver dispatch functions. If this is not possible, I/O request dispatching must be done according to the SDL requirements for WDM.
As for protective measures on the side of clients, that is, banks, the main measure is regular audit of ATM security, as well as the creation of policies for the safe configuration of ATMs and constant monitoring of compliance with these policies. Such control will significantly increase the security of ATMs from attacks that exploit simple vulnerabilities, such as bypassing kiosk mode and missing BIOS passwords. And to detect targeted attacks in real time, it is recommended to use security event monitoring systems (SIEM), which can detect suspicious actions or combinations of actions, such as connecting unusual devices to the ATM, sudden reboots, excessively pressing keys, or executing prohibited commands.
What is the problem
The zero-day vulnerability CVE-2016-8009 was found during work analyzing the security of ATMs at one of the large banks. Solidcore is used in many Windows ATMs to identify and block malicious files using whitelists, as well as control the privileges of running processes. Solidcore was originally a product of Solidcore Systems, but in 2009 it was bought by MacAfee, which in turn was bought by Intel. Solidcore is currently part of the McAfee Application Control (MAC) product, although many in the market still use the old name.
A vulnerability discovered by a Positive Technologies expert allows an unauthorized user to use the IOCTL handler of one of the drivers to damage the memory of the Windows OS kernel. Exploitation of the vulnerability can lead to arbitrary code execution with SYSTEM rights, elevation of user privileges from Guest to SYSTEM, or OS crash.
During the research, this vulnerability made it possible to manage Solidcore components on demand and perform actions with SYSTEM rights - in particular, disable Solidcore interaction with the ePolicy Orchestrator management server, disable the Solidcore management console lock, disable password protection, and inject code into any system processes. Having access to a vulnerable driver, an attacker can use it to add malware to Solidcore whitelists without having to completely disable protection and communication with the control server, thereby avoiding suspicion and log entries.
Knowing about such a vulnerability, hackers can successfully attack a bank of interest using specially prepared malware. And similar attacks have already taken place. In particular, in 2014, a Trojan for ATMs, Tyupkin, was discovered, which differs precisely in that it can disable Solidcore in order to hide its malicious activity. Thanks to this Trojan, criminals were able to steal hundreds of thousands of dollars from ATMs in Eastern Europe without attracting attention.
How to reduce risk
Intel Security has released a patch for the discovered bug. According to Positive Technologies experts, the risk of the driver being used by attackers can be reduced if developers provide a user authorization mechanism for accessing driver dispatch functions. If this is not possible, I/O request dispatching must be done according to the SDL requirements for WDM.
As for protective measures on the side of clients, that is, banks, the main measure is regular audit of ATM security, as well as the creation of policies for the safe configuration of ATMs and constant monitoring of compliance with these policies. Such control will significantly increase the security of ATMs from attacks that exploit simple vulnerabilities, such as bypassing kiosk mode and missing BIOS passwords. And to detect targeted attacks in real time, it is recommended to use security event monitoring systems (SIEM), which can detect suspicious actions or combinations of actions, such as connecting unusual devices to the ATM, sudden reboots, excessively pressing keys, or executing prohibited commands.
