Spotted by researchers, Diebold’s Opteva ATMs were using a publicly exposed OS by the name of “Spiservice.” It was then discovered that the service directed to a DLL with the name “MSXFS.dll” that is used for ATMs. Tests were run on one of Diebold’s ATMs that was operating with Agilis XFS on Opteva version 4.1.61.1. If connected through a web browser, a library with the name “VDMXFS.dll” was called. The result displayed a remote configuration parameter that could allow for a complete takeover of the Opteva ATMs if reverse-shell payloads were deployed. Successful attempts at exploitation were proved by researchers in their blog. A security alert released by Diebold stated, “While all Opteva systems come equipped with a terminal-based firewall installed, from the information we have, the terminal-based firewall of the system was most likely not active during the evaluation. We have not received any reports of this potential exposure being exploited outside of a test environment.” Diebold is making attempts to notify all customers that may operate on the Opteva ATMs and they are advising operators to update to version 4.1.22.
Analyst Notes
A host firewall along with TLS connection, MAC verification layer, and LAN/VLAN intrusion detections and prevention are other methods of protection that could prevent the vulnerability from being executed. Physical access should also be monitored, this includes locking the compartment, implementing 2FA, and monitoring visually is also suggested.
