You are on page 1of 2

Corporate Product & Solution Security


019-23/0001 – Potential Remote Code

Execution on Opteva Terminals
20190607/RK/01 June 07, 2019

Diebold Nixdorf was recently informed about a potential remote code execution on Opteva terminals. The
potential exposure was a part of the Agilis XFS service using .Net remoting over an externally facing http

Description of Potential Threat

According to an online publication, security researchers were allegedly able to remotely access an Opteva
terminal using the AgilisXFS service that was listening for a network connection. Our analysis indicates
this connection only exists with Agilis® XFS for Opteva version 4.x where the XFS software for the Bulk
Cash Recycling Module (BCRM) is installed. The latest version of Agilis XFS for Opteva includes the XFS
software for the BCRM by default.

While all Opteva systems come equipped with a terminal-based firewall installed, from the information we
have, the terminal based firewall of the system was most likely not active during the evaluation.

We have not received any reports of this potential exposure being exploited outside of a test environment.

Recommendation for Countermeasures

Diebold Nixdorf understands the impact of this threat and supports customers in identifying and deploying
potential solutions. From a holistic security approach, Diebold Nixdorf recommends implementing the
following countermeasures:

1) Apply Latest Agilis XFS Configuration Change

• Apply “Agilis XFS for Opteva - BulkCashRec (BCRM)” version 4.1.22 to change the
configuration of this service from externally facing http to interprocess communication. This
version is dependent on “Agilis XFS for Opteva – Core” version 4.1.43.

2) Protect Network Communications

• Activate system/host-based firewall and apply adequate configuration.
• Implement a secure connection with the host through a TLS connection and Message
Authentication Code (MAC) with host message verification.
• Follow network security best practices, including segmented and secured LAN/VLAN with
intrusion, detection, and prevention.

ΞϮϬϭϵŝĞďŽůĚEŝdžĚŽƌĨ͕ĂůůƌŝŐŚƚƐƌĞƐĞƌǀĞĚ  h^dKDZKE&/Ed/> 
Corporate Product & Solution Security


3) Implement Hardening of the Software Stack

• Implement hard disk encryption mechanisms to protect the ATM from software modifications
(offline attacks).
• Introduce intrusion prevention mechanisms in order to identify deviating system behavior and
protect the ATM during operation (online attacks).

4) Limit Physical Access to the ATM

• Use appropriate locking mechanisms to secure the head compartment of the ATM.
• Implement access control for service technicians based on two-factor authentication.
• Control access to areas used by personnel to service the ATM.
• Terminal operators should conduct frequent visual inspections of the terminal.

5) Implement Protection Mechanisms for Cash Modules

• Use firmware with latest security functionality.
• Enable communication encryption with most secure configuration applicable.

6) Set Up Additional Measures

• Ensure real-time monitoring of security relevant hardware and software events including
unexpected opening of the top hat compartment and safe door of the ATM.
• Investigate suspicious activities like deviating or non-consistent transaction or event patterns,
which are caused by an interrupted connection to the dispenser.
• Keep your operating system, software stack, and your configuration up to date.
• Implement secure software update processes and follow security best practices on password
management of remote access tools.

In general, we highly recommend using solutions specific to self-service terminals.

For detailed information, please contact your local sales department, a hardware integration
representative or your Diebold Nixdorf security expert.

Additional Information & Contact:

Diebold Nixdorf | Corporate Product & Solution Security

Check out the Diebold Nixdorf Security blogs: Subscribe to the Global Security Portal:

ΞϮϬϭϵŝĞďŽůĚEŝdžĚŽƌĨ͕ĂůůƌŝŐŚƚƐƌĞƐĞƌǀĞĚ  h^dKDZKE&/Ed/>