CVE-2024-0674 is a privilege escalation vulnerability identified in Lamassu Bitcoin ATM Douro machines running version 7.1. The vulnerability stems from improper privilege management (CWE-269) within the update mechanism of these ATM devices. Specifically, a local user with limited privileges can manipulate the update process by modifying the updatescript.js file, inserting malicious code, and creating a done.txt file. This manipulation causes the watchdog process, which normally runs with elevated privileges, to execute the attacker-controlled updatescript.js payload as the root user. Consequently, the attacker can escalate their privileges from a low-privileged local user to root, gaining full control over the ATM system. The vulnerability requires local access to the machine and a high level of attack complexity, as indicated by the CVSS vector (AV:P/AC:H/PR:L/UI:N). There is no indication of known exploits in the wild at this time. The vulnerability impacts confidentiality, integrity, and availability, as root access allows an attacker to extract sensitive data, modify system configurations, or disrupt ATM operations. The lack of a patch link suggests that a fix may not yet be publicly available or that users must coordinate directly with Lamassu for remediation. This vulnerability highlights a critical security weakness in the update mechanism of financial transaction devices, which are attractive targets for attackers due to their role in cryptocurrency exchanges and cash handling.

For European organizations operating Lamassu Bitcoin ATM Douro machines, this vulnerability poses significant risks. An attacker with local access could gain root privileges, potentially leading to theft of cryptocurrency, manipulation of transaction records, or complete disruption of ATM services. This could result in financial losses, reputational damage, and regulatory scrutiny under European data protection and financial regulations. The ability to execute arbitrary code as root also raises concerns about the ATM being used as a pivot point for broader network compromise, especially if the ATM is connected to internal networks. Given the increasing adoption of cryptocurrency ATMs in Europe, particularly in major financial hubs, the vulnerability could affect both operators and users. The medium CVSS score reflects the requirement for local access and high attack complexity, somewhat limiting the scope but not eliminating the threat, especially in environments with insufficient physical security controls.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Restrict physical and local access to Lamassu Bitcoin ATM Douro machines to authorized personnel only, employing access controls such as locks, surveillance, and tamper-evident seals. 2) Monitor and audit local user activities on the ATM machines to detect unauthorized file modifications, particularly to updatescript.js and the presence of done.txt files. 3) Employ file integrity monitoring solutions to alert on unexpected changes to critical update scripts. 4) Coordinate with Lamassu to obtain and apply any available patches or firmware updates addressing this vulnerability as soon as they are released. 5) If patches are not yet available, consider disabling or restricting the update mechanism temporarily or implementing additional validation checks on update scripts to prevent unauthorized code execution. 6) Segment ATM networks from critical internal networks to limit lateral movement in case of compromise. 7) Train staff on the risks associated with local access vulnerabilities and enforce strict operational security policies around ATM maintenance and updates.