MidnightBSD

Advisories for lamassu

CVE-2024-0674

Privilege escalation vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, which could allow a local user to acquire root permissions by modifying the updatescript.js, inserting special code inside the script and creating the done.txt file. This would cause the watchdog process to run as root and execute the payload stored in the updatescript.js.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
cve-coordination@incibe.es 6.3 MEDIUM CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 0.4 5.9

Products Affected

Vendor Product Version
lamassu douro_firmware 7.1
lamassu douro_ii_firmware 7.1
CVE-2024-0675

Vulnerability of improper checking for unusual or exceptional conditions in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, the exploitation of which could allow an attacker with physical access to the ATM to escape kiosk mode, access the underlying Xwindow interface and execute arbitrary commands as an unprivileged user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9
cve-coordination@incibe.es 6.3 MEDIUM CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 0.4 5.9

Products Affected

Vendor Product Version
lamassu douro_firmware 7.1
lamassu douro_ii_firmware 7.1
CVE-2024-0676

Weak password requirement vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version , which allows a local user to interact with the machine where the application is installed, retrieve stored hashes from the machine and crack long 4-character passwords using a dictionary attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2
cve-coordination@incibe.es 5.6 MEDIUM CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 0.4 5.2

Products Affected

Vendor Product Version
lamassu douro_firmware 7.1
lamassu douro_ii_firmware 7.1