CVE-2024-0674

Published: Jan 30, 2024Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Privilege escalation vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, which could allow a local user to acquire root permissions by modifying the updatescript.js, inserting special code inside the script and creating the done.txt file. This would cause the watchdog process to run as root and execute the payload stored in the updatescript.js.

Affected (2)

Products: Lamassu: Douro Firmware, Douro Ii Firmware

2 products

Douro Ii Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lamassu Douro Firmware	Version 7.1

Running on/with	Platform Versions
Lamassu Douro	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lamassu Douro Ii Firmware	Version 7.1

Running on/with	Platform Versions
Lamassu Douro Ii	All versions

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References (2)

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-lamassu-bitcoin-atm-douro-machines

Source: cve-coordination@incibe.es

Third Party Advisory

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-lamassu-bitcoin-atm-douro-machines

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.