McAfee ATM Security Detects Hazardous Vulnerability

Positive Technologies application analysis specialist Maxim Kozhevnikov discovered a dangerous 0-day vulnerability in the Solidcore ATM security system, which is part of the McAfee Application Control (MAC) product. The error allows an attacker to execute arbitrary code and elevate privileges in the system.

What is the problem

The zero-day vulnerability CVE-2016-8009 was found in the course of analyzing the security of ATMs of one of the large banks. The Solidcore system is used in many ATMs under Windows to identify and block malicious files using whitelists, as well as to control the privileges of running processes. Initially, the Solidcore system was a product of Solidcore Systems, but in 2009 it was bought by MacAfee, which, in turn, was bought by Intel. Solidcore is currently part of the McAfee Application Control (MAC) product, although many still use the old name on the market.
')
The vulnerability detected by the Positive Technologies expert allows an unauthorized user to use the IOCTL handler of one of the drivers for corrupting the memory of the Windows OC kernel. The exploitation of a vulnerability can lead to the execution of an arbitrary code with SYSTEM rights, an increase in user privileges from Guest to SYSTEM, or an OS crash.

During the investigation, this vulnerability allowed the management of Solidore components on demand and performing actions with SYSTEM rights - in particular, disabling Solidcore interaction with the ePolicy Orchestrator management server, disabling the Solidcore management console lock, disabling password protection, and embedding code into any system processes. Having access to a vulnerable driver, an attacker can use it to add malware to Solidcore whitelists without the need to completely disable protection and communication with the management server, thereby not causing suspicions or entries in the logs.

Knowing about such a vulnerability, hackers can successfully attack the bank of interest to them with the help of specially prepared malicious programs. And similar attacks have already taken place. In particular, in 2014, a Trojan for Tyupkin ATMs was discovered, which is distinguished by the fact that it can disable Solidcore to hide its malicious activity. Thanks to this Trojan, criminals were able to steal hundreds of thousands of dollars from ATMs in Eastern Europe without attracting attention.

How to reduce the risk

Intel Security has released a patch for the error found. According to experts of Positive Technologies, attackers can reduce the risk of using the driver if the developers provide for a user authorization mechanism for accessing the driver's dispatch functions. If this is not possible, the scheduling of I / O requests should be made in accordance with the SDL requirements for WDM.

As for protective measures on the client side, that is, banks, the main measure is regular auditing of ATM security, as well as creating policies for safe setting up ATMs and constantly monitoring compliance with these policies. Such control will significantly improve the security of ATMs against attacks exploiting the simplest vulnerabilities, such as bypassing kiosk mode and the absence of a BIOS password. And to identify targeted real-time attacks, it is recommended to use security event monitoring systems ( SIEM ), which can detect suspicious actions or combinations of actions, such as connecting unusual devices to an ATM, a sudden reboot, too frequent keystrokes, or execution of forbidden commands.