Researchers found numerous security vulnerabilities in the ScrutisWeb ATM fleet monitoring software that threatened ATM security. Exploiting the vulnerabilities could allow an adversary to hack target ATMs.
Multiple Vulnerabilities Found In ScrutisWeb ATM Software
The US CISA has recently warned users of numerous serious vulnerabilities affecting the Iagona ScrutisWeb ATM fleet monitoring software.
ScrutisWeb is a dedicated ATM software from Iagona – an industrial software provider firm – that empowers banks and the retail sector in monitoring ATM fleets for security issues and other software/hardware glitches.
According to CISA’s advisory, three researchers, Neil Graves, Jorian van den Hout, and Malcolm Stagg, discovered numerous security vulnerabilities in ScrutisWeb ATM software, which directly risked the security of the respective ATMs.
Specifically, they found the following vulnerabilities affecting the Iagona ScrutisWeb versions 2.1.37 and earlier.
- CVE-2023-33871 (CVSS 7.5): a directory traversal vulnerability allowing an unauthenticated adversary to access any file outside the webroot.
- CVE-2023-38257 (CVSS 7.5): an Insecure Direct Object Reference (IDOR) vulnerability that an unauthenticated adversary may exploit to view profile data and login credentials (with encrypted passwords).
- CVE-2023-35763 (CVSS 5.5): a vulnerability affecting the cryptographic functionality that would allow an unauthenticated attacker to decrypt encrypted passwords in plaintext.
- CVE-2023-35189 (CVSS 10): a critical-severity remote code execution flaw letting an unauthenticated attacker upload and execute malicious payloads on the target systems.
Upon discovering the vulnerabilities, the researchers reported the flaws to CISA, recommending the following mitigations.
- Minimizing network exposure for control devices/systems.
- Isolating control system networks and devices from the business network and securing them with firewalls.
- Deploying VPNs to secure remote access to the systems.
Besides, Iagona has also patched the vulnerabilities with ScrutisWeb v2.1.38. Hence, all ScrutisWeb customers must update their systems with the latest software updates to receive the patches. Moreover, CISA advises organizations to perform impact analysis, risk assessments and consider ATM penetration testing before deploying defensive measures.
Let us know your thoughts in the comments.