CVE-2020-10125

Published: Aug 21, 2020Modified: Nov 4, 2025

7.6

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 6.0

Source: NVD

Description

NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate bunch note acceptor (BNA) software updates, which can be broken by an attacker with physical access in a sufficiently short period of time, thereby enabling the attacker to sign arbitrary files and CAB archives used to update BNA software, as well as bypass application whitelisting, resulting in the ability to execute arbitrary code.

Affected (2)

Products: Ncr: Aptra Xfs

1 product

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ncr Aptra Xfs	Version 04.02.01
Ncr Aptra Xfs	Version 05.01.00

Running on/with	Platform Versions
Ncr Selfserv Atm	All versions

Related CWEs

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (5)

https://kb.cert.org/vuls/id/815655

Source: cret@cert.org

Third Party AdvisoryUS Government Resource

https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_

Source: cret@cert.org

Broken Link

https://kb.cert.org/vuls/id/815655

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.kb.cert.org/vuls/id/815655

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

Timeline

No history available yet.