Synack has made a discovery of a list of vulnerabilities in lagona ScrutisWeb ATM monitoring software, that could be exploited remotely by hackers.
A group of tough and intelligent Synack Red Team (SRT) experts, by the name Neil Graves, Jorian van den Hout, and Malcolm Stagg has discovered vulnerabilities which were assigned the numbers CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189 early in the year 2023.
The lagona ScrutisWeb web application which is owned by a France based company, was earlier patched in July 2023 with a new version 2.1.38 of the security web application product.
In a statement from the report made on their blog:
“As part of the Synack Red Team (SRT) global network of security researchers, I routinely find vulnerabilities in Synack client’s infrastructures, and web servers. On some Synack targets, SRT members are allowed to collaborate, maximizing our broad range of skill sets.”
In a recent testing done the team were able to discover a security weakness in the ScrutisWeb which is responsible in monitoring bank ATMs and ATMs at retail units.
According to the software developer, the application which is accessible from any web browser are used by organizations worldwide in monitoring ATMs and minimize the response time, in the case of an incident. The ATM units includes sensitive facilities such as cheque deposit machines, and payment terminals at eateries or restaurants.
Functional capabilities of the ScrutisWeb Application
The ScrutisWeb application, has the following functional capabilities:
- Being able to shutdown or reboot a terminal or an entire unit.
- Retrieving services and information of banks.
- Monitoring of the bank card readers (of ATMs).
- Capable of sending and receiving files (to ATMs).
- Able to remotely modify data (on ATMs).
The company (Synack), with over 1,000 unique IP address in their possession conducted a target enumeration process, that are within the scope of the assessment being carried out.
In a commentary:
“We discovered a function in the file that allows a client to download full paths within the server’s Webroot.”
this.window.location.href = “/Download.aspx?folder=” + name;
“We determined that supplying a folder name of ‘/’ results in ScrutisWeb compressing the entire Webroot and sending it to the browser as a download.”
Basically, this feature was designed by the company to download the Webroot. However, upon further inspection of the Download.aspx, it was discovered that it calls the library “Scrutis.Front.dll” which is responsible in handling most of the users’ functions.
- CVE-2023-33871: Is said to be associated with an Absolute Path Traversal This will enable attackers to have access to configurations, activity logs, and databases from the server.
- CVE-2023-35189: was discovered to be a Remote Code Execution This will allow an attacker or an unauthenticated user being able to upload any file and view them again from a web browser. Additional exploit of other vulnerabilities can be achieved by a hacker and gaining access to the ATM controllers.
- CVE-2023-38257: associated with the vulnerability Insecure Direct Object Reference, a security flaw in the GEtUserDetails method prototype allowing a single integer input in a post request over HTTP. For example, sending a parameter ‘1’ to the function returns users’ information such as username, and password of all users of the system.
- CVE-2023-35763: A vulnerability associated with the Hardcoded Encryption Key. Upon searching the word term ‘crypt’ the researchers were able to locate a decrypt function that accepts a cipher text as an input and returns a UTF8 string plaintext. The function discovered includes a line that discloses the plaintext string which was used as the encryption key; used in encrypting and decrypting users’ passwords. A written python script, was able to decrypt the hashed passwords, and the team were able to gain access of an administrative account via the ScrutisWeb application.
The impact is said to be high risk, as a malicious intended person (attacker) can be able to log into the ScrutisWeb application management control, as an administrator, due to CVE-2023-38257, and CVE-2023-35763.
A successful access grants the attacker the ability to monitor activities of an individual ATMs within the fleet. The console which is said to allow the ATMs to be dropped into management mode, also allows the uploading of files to them, rebooting them, or even powering off the ATMs as well. Other malicious intents an attacker can carry out include cleaning of logs on the ScrutisWeb and wiping off evidence or tracks that may show that a malicious attacker has been there, or even gaining a foothold in the client’s facilities by the attacker.
The mitigation provided by lagona the company that designed the application, was a new version for the application which is known as ScrutisWeb version 2.1.38.
Please do let us know in the comment section what are your thoughts about this.