CVE-2023-24063

6.8 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability allows physical attackers to bypass disk encryption on Diebold Nixdorf ATMs by manipulating the /etc/mtab file during the Pre-Boot Authorization process. Attackers with physical access to the hard disk can potentially access encrypted data without proper authentication. This affects Diebold Nixdorf Vynamic Security Suite installations before version 3.3.0 SR10.

💻 Affected Systems

Products:

• Diebold Nixdorf Vynamic Security Suite (VSS)

Versions: All versions before 3.3.0 SR10

Operating Systems: Linux-based ATM operating systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using VSS for disk encryption with Pre-Boot Authorization enabled.

📦 What is this software?

Vynamic Security Suite by Dieboldnixdorf

View all CVEs affecting Vynamic Security Suite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of ATM security, allowing attackers to extract sensitive financial data, manipulate transactions, or install persistent malware on ATM systems.

🟠

Likely Case

Physical attackers bypass disk encryption to access sensitive ATM configuration data, potentially enabling further attacks or financial fraud.

🟢

If Mitigated

Limited impact if physical security controls prevent unauthorized access to ATM hardware components.

🌐 Internet-Facing: LOW - This requires physical access to the ATM hardware, not network access.

🏢 Internal Only: MEDIUM - While physical access is required, internal personnel or contractors with physical access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical access to manipulate the hard disk, but the technique is documented in DEF CON 32 presentation and white paper.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.0 SR10 or later

Vendor Advisory: https://www.dieboldnixdorf.com/en-us/banking/portfolio/software/security/

Restart Required: Yes

Instructions:

1. Contact Diebold Nixdorf for patch availability. 2. Apply VSS update to version 3.3.0 SR10 or later. 3. Reboot ATM system to activate the fix.

🔧 Temporary Workarounds

Enhanced Physical Security

all

Strengthen physical access controls to prevent unauthorized access to ATM hardware components.

Disk Tamper Detection

all

Implement physical tamper detection mechanisms and regular integrity checks of ATM hardware.

🧯 If You Can't Patch

• Implement strict physical security controls and surveillance for all ATM locations
• Conduct regular physical security audits and integrity checks of ATM hardware

🔍 How to Verify

Check if Vulnerable:

Copy

Check VSS version using vendor-provided tools or check if /etc/mtab validation is missing during PBA process.

Check Version:

Copy

Use Diebold Nixdorf VSS management tools to check current version

Verify Fix Applied:

Copy

Verify VSS version is 3.3.0 SR10 or later and test PBA process with manipulated /etc/mtab to confirm rejection.

📡 Detection & Monitoring

Log Indicators:

• Failed PBA attempts with unusual timing
• Physical tamper detection alerts
• Unexpected system reboots or PBA process anomalies

Network Indicators:

• Unusual physical access patterns to ATM locations

SIEM Query:

Copy

Physical security alerts AND (ATM system events OR PBA failure events)

📊 Metadata

CVE ID: CVE-2023-24063

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-354

Published: August 8, 2024

Last Updated: March 27, 2025

🔗 References

• https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Matt%20Burch%20-%20Where%E2%80%99s%20the%20Money%20-%20Defeating%20ATM%20Disk%20Encryption-white%20paper.pdf Exploit,Third Party Advisory
• https://www.dieboldnixdorf.com/en-us/banking/portfolio/software/security/ Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24063, you might also want to check these:

CVE-2025-11543 9.8

This vulnerability allows attackers to bypass integrity checks and install unauthorized firmware on ...

Same vulnerability type (CWE-354)

CVE-2024-25678 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) Library involves mishandled DCID (Destination Connecti...

Same vulnerability type (CWE-354)

CVE-2025-54887 9.1

This vulnerability in the Ruby JWE library allows attackers to brute-force authentication tags in en...

Same vulnerability type (CWE-354)