Diebold Nixdorf Vynamic Security Suite Code Execution Vulnerability via Improper File Deletion

A vulnerability in Diebold Nixdorf Vynamic Security Suite (VSS) versions through 4.3.0 SR06 allows for unauthorized code execution by deleting critical system files before the filesystem is fully mounted. This is achieved by exploiting a delete command in the mountfs initialization script to remove the fstab file, which can lead to execution of malicious code. In some versions, this vulnerability also facilitates the recovery of TPM Disk Encryption keys, allowing decryption of the Windows system partition.

Impact

Exploitation of this vulnerability enables unauthorized code execution and, in certain versions, access to TPM Disk Encryption keys for decrypting the Windows system partition.

Reproduction

The vulnerability can be reproduced by removing the default file system watermarks in VSS 3.3.0 SR16, which allows the deletion of the /etc/fstab file. This can be done by exploiting the /etc/rc.d/init.d/mountfs' script, which contains commands to remove filesystem watermarks. Once the fstab file is deleted, access to protected directories can be gained, and the otherwise inaccessible content can be extracted, such as the 'bootlog' from the 'var' directory, which provides insights into the system's operations.