SB2018081017 - Security restrictions bypass in NCR S1 and S2
Published: August 10, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2017-17668)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote unauthenticated attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient protection of memory write mechanism in NCR S1 Dispenser controller. remote attacker can upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.
2) Security restrictions bypass (CVE-ID: CVE-2018-5717)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote unauthenticated attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient protection of memory write mechanism in NCR S2 Dispenser controller. remote attacker can upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.
Remediation
Install update from vendor's website.