CVE-2020-10126

Name of the Vulnerable Software and Affected Versions NCR SelfServ ATMs running APTRA XFS version 05.01.00

Description The issue concerns a lack of proper validation for software updates related to the bunch note acceptor (BNA) in NCR SelfServ ATMs. This allows an attacker with physical access to internal ATM components to restart the host computer and execute arbitrary code with SYSTEM privileges. The vulnerability is exploited during the boot process when the update mechanism searches for CAB archives on removable media and executes a specific file without validating the CAB archive's signature.

Recommendations For NCR SelfServ ATMs running APTRA XFS version 05.01.00, consider restricting physical access to internal ATM components to minimize the risk of exploitation. As a temporary workaround, avoid using removable media for updates until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.