Multiple vulnerabilities in Lamassu Bitcoin ATM Douro machines

Posted date 18/01/2024
3 - Medium
Affected Resources
  • Lamassu's Douru ATM Bitcoin ATMs, 7.1 version.

INCIBE has coordinated the publication of 3 vulnerabilities of medium severity affecting Lamassu´s Bitcoin ATM Douro machines, in its 7.1 version, which have been discovered by Gabriel González.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-0674: 6.3 | CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-269.
  • CVE-2024-0675: 6.3 | CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-754. 
  • CVE-2024-0676: 5.6 | CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N | CWE-521. 

The vulnerabilities have been resolved in version 8.1.5-1 and 8.1.6. For more information, see the "References" section.

  • CVE-2024-0674: privilege escalation vulnerability, which could allow a local user to acquire root permissions by modifying the updatescript.js, inserting special code inside the script and creating the done.txt file. This would cause the watchdog process to run as root and execute the payload stored in the updatescript.js.
  • CVE-2024-0675: vulnerability of improper checking for unusual or exceptional conditions, the exploitation of which could allow an attacker with physical access to the ATM to escape kiosk mode, access the underlying Xwindow interface and execute arbitrary commands as an unprivileged user.
  • CVE-2024-0676: weak password requirement vulnerability, which allows a local user to interact with the machine where the application is installed, retrieve stored hashes from the machine and crack long 4-character passwords using a dictionary attack.