Researchers find RCE bug in older Diebold Nixdorf ATMs

The NightSrOrm a group of IT security people, enthusiasts, who share the same interests have tracked a Remote Code Execution (RCE) flaw in older Opteva ATM models' software, A publicly exposed OS service present in Diebold Nixdorf's Opteva ATM series that could be compromised when remotely exploited with reverse shells to deploy malicious payloads. The company is currently notifying its customers about this vulnerability and has released software patches to fix this flaw. The story was initiated in early 2019, when the group "accidentally" accessed a Diebold ATM - a company specialized in providing ATMs around the world.

And they managed to identify that port 8043 which basically deals with service within the XFS suite of service was listening public on the surface scan. And when this port was accessed with an http request a very familiar message of a strange service was reported, but on further analysis, this exe file calls to many libraries, including a library called VDMXFS.dll.

The program used a function: RemotingConfiguration.Configure("server.config"), which was probably the config file here. And the analysis of this was reported to have few "clues", and since the program already used .NET Remoting Programming techniques, the team found a pretty detailed description and programmed two applications to create an Interactive network and the results were quite reasonable. This lead to two errors: XXE and XML Deserialization.

But later it was found that XXE was not feasible and hence on focusing XML Deserialization analysis, RemotingConfiguration class belonging to the System.Runtime.Remoting library, according to the description of M$ library seemed to send and receive serialization data. And the payload was created, tested and exploited.

After knowing about this RCE flaw in their older operating systems. Diebold Nixdorf is in the process of notifying all its customers using older Opteva ATMs of this issue. In addition, they have advised the operators to update to the latest version (4.1.22) of the ATM operating system, as one of the countermeasures. Besides the fact that all the Opteva systems are shipped with an inbuilt terminal-based firewall, the information is that this terminal based firewall of the system was mostly inactive during this evaluation. Yet there are no reports of this potential exposure being exploited outside a test environment.