CVE-2023-28865

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR15, 4.0.0 SR05, 4.1.0 SR03, and 4.2.0 SR02 fails to validate the directory contents of certain directories (e.g., ensuring the expected hash sum) during the Pre-Boot Authorization (PBA) process. This can be exploited by a physical attacker who is able to manipulate the contents of the systems hard disk.

Weakness

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Software

Name	Vendor	Start Version	End Version
Vynamic_security_suite	Dieboldnixdorf	*	3.3.0sr15 (excluding)
Vynamic_security_suite	Dieboldnixdorf	4.0.0 (including)	4.0.0sr05 (excluding)
Vynamic_security_suite	Dieboldnixdorf	4.1.0 (including)	4.1.0sr03 (excluding)
Vynamic_security_suite	Dieboldnixdorf	4.2.0 (including)	4.2.0sr02 (excluding)

https://cwe.mitre.org/data/definitions/111.html
https://cwe.mitre.org/data/definitions/141.html
https://cwe.mitre.org/data/definitions/142.html
https://cwe.mitre.org/data/definitions/148.html
https://cwe.mitre.org/data/definitions/218.html
https://cwe.mitre.org/data/definitions/384.html
https://cwe.mitre.org/data/definitions/385.html
https://cwe.mitre.org/data/definitions/386.html
https://cwe.mitre.org/data/definitions/387.html
https://cwe.mitre.org/data/definitions/388.html
https://cwe.mitre.org/data/definitions/665.html
https://cwe.mitre.org/data/definitions/701.html

References

https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Matt%20Burch%20-%20Where%E2%80%99s%20the%20Money%20-%20Defeating%20ATM%20Disk%20Encryption-white%20paper.pdf
https://www.dieboldnixdorf.com/en-us/banking/portfolio/software/security/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-28865
CWE	https://cwe.mitre.org/data/definitions/345.html

Insufficient Verification of Data Authenticity

Weakness

Affected Software

Related Attack Patterns

References