Researchers have warned of several vulnerabilities found in ScrutisWeb ATM monitoring software developed by the French company Iagona. These problems can be used for remote hacking.
The vulnerabilities were discovered by members of the Synack red team, and the manufacturer fixed them in July 2023 with the release of ScrutisWeb version 2.1.38.
ScrutisWeb allows organizations to monitor their fleet of banking or retail devices directly from a browser, allowing them to quickly respond to emerging issues. ScrutisWeb allows you to control hardware, reboot or turn off the device, send and receive files, modify data remotely. It should be noted that the "ATM park" may include deposit devices for checks, as well as payment terminals.
Researchers found four vulnerabilities in ScrutisWeb: CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189. These issues are related to authorization traversal, directory traversal, hard-coded cryptographic key, and arbitrary file uploads. Vulnerabilities can be exploited by remote attackers without authentication.
Bugs can be used to get data from the server (settings, logs, and databases), execute arbitrary commands, and get encrypted administrator passwords and decrypt them using a hard-coded key.
According to the researchers, in the end, attackers can use these problems to log into the ScrutisWeb management console as an administrator and monitor the work of ATMs connected to the system, being able to activate the device management mode, reboot or turn them off, download files, and so on. Also, hackers can use the remote command execution vulnerability to hide traces of their activities by deleting the corresponding files.
“More research is required to determine whether custom software can be loaded into individual ATMs to exfiltrate bank card data, redirect Swift transfers, or otherwise perform malicious activities. However, such additional testing was not within the scope of our analysis,” the researchers note.
The vulnerabilities were discovered by members of the Synack red team, and the manufacturer fixed them in July 2023 with the release of ScrutisWeb version 2.1.38.
ScrutisWeb allows organizations to monitor their fleet of banking or retail devices directly from a browser, allowing them to quickly respond to emerging issues. ScrutisWeb allows you to control hardware, reboot or turn off the device, send and receive files, modify data remotely. It should be noted that the "ATM park" may include deposit devices for checks, as well as payment terminals.
Researchers found four vulnerabilities in ScrutisWeb: CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189. These issues are related to authorization traversal, directory traversal, hard-coded cryptographic key, and arbitrary file uploads. Vulnerabilities can be exploited by remote attackers without authentication.
Bugs can be used to get data from the server (settings, logs, and databases), execute arbitrary commands, and get encrypted administrator passwords and decrypt them using a hard-coded key.
According to the researchers, in the end, attackers can use these problems to log into the ScrutisWeb management console as an administrator and monitor the work of ATMs connected to the system, being able to activate the device management mode, reboot or turn them off, download files, and so on. Also, hackers can use the remote command execution vulnerability to hide traces of their activities by deleting the corresponding files.
“More research is required to determine whether custom software can be loaded into individual ATMs to exfiltrate bank card data, redirect Swift transfers, or otherwise perform malicious activities. However, such additional testing was not within the scope of our analysis,” the researchers note.
