Can you explain this vulnerability to me?

CVE-2022-4980 is a critical vulnerability in the General Bytes Crypto Application Server (CAS) software that allows an unauthenticated remote attacker to create a new administrative user account by exploiting the URL used for the default installation or first-admin creation page. This authentication bypass in the admin web interface enables the attacker to gain admin privileges without any credentials. Once inside, the attacker can manipulate ATM configurations, such as redirecting cryptocurrency payments to their own wallet. The vulnerability was actively exploited in the wild, targeting CAS instances exposed on ports 7777 or 443, affecting both cloud-hosted and standalone deployments. [1, 2, 3, 5, 6]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to significant financial losses by allowing attackers to gain unauthorized administrative access to the CAS system managing Bitcoin ATMs. Attackers can create new admin users, modify ATM configurations, and redirect cryptocurrency payments (especially invalid payments) to their own wallets. This results in theft of funds from customers using the affected ATMs. The attack does not compromise the underlying operating system or sensitive credentials but causes monetary loss through malicious configuration changes. Operators have reported losses estimated around $16,000 USD. Additionally, failure to properly remediate after patching can prolong exposure and losses. [1, 2, 4, 6]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves monitoring for suspicious activity related to the CAS admin interface, especially access to the default installation or first-admin creation page URL. Operators should check logs (e.g., admin.log) for suspicious entries such as "Server activated" which may indicate unauthorized admin creation. Network detection can include scanning for CAS services exposed on TCP ports 7777 or 443 and monitoring for unusual HTTP requests to the default installation endpoint. Indicators of Compromise (IoCs) have been identified by General Bytes to assist detection, though exact endpoint names are not publicly disclosed. Commands to check open ports and network connections could include: `netstat -an | grep 7777` or `netstat -an | grep 443` to identify exposed CAS services, and reviewing web server or CAS logs for suspicious URL access patterns. Additionally, operators should review user accounts and terminals for unrecognized entries. [1, 6]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Stop admin and master CAS services; 2) Upgrade CAS servers to patched versions 20220531.38 (backport) or 20220725.22 (mainline); 3) Restrict access to the CAS admin interface via firewall rules to trusted IP addresses only; 4) Restart admin services after patching; 5) Deactivate all or only two-way ATM terminals to prevent unauthorized transactions; 6) Review and remove any unrecognized users and terminals, including unpaired ones; 7) Reset all user passwords except your own; 8) Verify crypto settings and run tests to ensure wallet addresses and strategies are correct; 9) Check logs for suspicious activity; 10) Conduct threat hunting to ensure no lingering compromise; 11) Report incident details to General Bytes to aid investigations. Operators are warned not to operate GB ATM servers without applying these measures. [1, 6]

Useful 0 Not Useful 0