McAfee ATM Security Detects Dangerous Vulnerability

Positive Technologies application analysis specialist Maxim Kozhevnikov discovered a dangerous 0-day vulnerability in the Solidcore ATM security system, which is part of the McAfee Application Control (MAC) product. The error allows an attacker to execute arbitrary code and increase privileges in the system.
What is the problem
Zero-day vulnerability CVE-2016-8009 was found during the analysis of the security of ATMs of one of the largest banks. The Solidcore system is used in many ATMs for Windows to detect and block malicious files using white lists, as well as to control the privileges of running processes. Solidcore was originally a product of Solidcore Systems, but in 2009 it was bought by MacAfee, which Intel, in turn, bought. Solidcore is currently part of the McAfee Application Control (MAC) product, although many still use the old name on the market.
A vulnerability discovered by a Positive Technologies expert allows an unauthorized user to use the IOCTL processor of one of the drivers to corrupt the memory of the Windows kernel. Exploitation of the vulnerability could lead to the execution of arbitrary code with SYSTEM privileges, elevation of user privileges from Guest to SYSTEM, or an emergency stop of the OS.
In the process of investigation, this vulnerability allowed managing Solidсore components on demand and performing SYSTEM rights - in particular, disabling Solidcore interaction with the ePolicy Orchestrator management server, disabling Solidcore management console lockout, disabling password protection, and implementing code injection into any system processes. Having access to a vulnerable driver, an attacker can use it to add malware to Solidcore white lists without having to completely disable protection and communication with the management server, thereby not causing suspicion and log entries.
Knowing about such a vulnerability, hackers can successfully carry out an attack on the bank of interest to them using specially prepared malware. And similar attacks have already taken place. In particular, in 2014 a Trojan was discovered for Tyupkin ATMs, which is distinguished by the fact that it can disable Solidcore in order to hide its malicious activity. Thanks to this trojan, criminals were able to steal hundreds of thousands of dollars from ATMs in Eastern Europe without attracting attention.
How to reduce risk
Intel Security has released a patch for the detected bug. According to experts of Positive Technologies, it is possible to reduce the risk of using the driver by attackers if the developers provide a user authorization mechanism for accessing the driver's dispatch functions. If this is not possible, I / O request scheduling should be in accordance with the SDL requirements for WDM.
With regard to protective measures on the client side, that is, banks, the main measure is a regular audit of the security of ATMs, as well as the creation of policies for the safe setup of ATMs and constant monitoring of compliance with these policies. Such control will significantly increase the security of ATMs against attacks that exploit the simplest vulnerabilities, such as bypassing kiosk mode and the lack of a password on the BIOS. And to detect targeted attacks in real time, it is recommended to use Security Event Monitoring Systems ( SIEM ), which allow you to detect suspicious actions or combinations of actions, such as connecting unusual devices to the ATM, sudden rebooting, too often pressing keys or executing forbidden commands.