PAX Technology’s point-of-sale (PoS) terminals are affected by a series of high-severity vulnerabilities that could be exploited by threat actors to execute arbitrary code.
The STM Cyber research and development team reverse-engineered the rapid deployment of Android devices made by the Chinese company in Poland and said it discovered six vulnerabilities that allowed privilege escalation and local code execution from the bootloader.
Details about one of the vulnerabilities (CVE-2023-42133) have been withheld. Other defects are as follows –
- CVE-2023-42134 and CVE-2023-42135 (CVSS score: 7.6) – Execute native code as root via core parameter injection in fastboot (affects PAX A920Pro/PAX A50)
- CVE-2023-42136 (CVSS score: 8.8) – Privilege escalation from any user/application to system user via shell injection binder exposed service (affects all Android-based PAX PoS devices)
- CVE-2023-42137 (CVSS Rating: 8.8) – Escalating privileges from system/shell user to root via unsafe operation in systool_server daemon (affects all Android-based PAX PoS devices)
- CVE-2023-4818 (CVSS Rating: 7.3) – Bootloader degradation via incorrect tokenization (affects PAX A920)
Successful exploitation of the above mentioned weaknesses could allow an attacker to elevate root privileges and bypass sandbox protection, effectively gaining full access to perform any operation.
This includes interfering with payment operations to “modify the data sent to the merchant application” [Secure Processor]which includes the transaction amount,” said security researchers Adam Kliś and Hubert Jasudowicz.
It is worth mentioning that exploiting CVE-2023-42136 and CVE-2023-42137 requires the attacker to have shell access to the device, while the remaining three require the attacker to have physical USB access to it.
The Warsaw-based penetration testing company said it responsibly disclosed the flaws in early May 2023 to PAX Technology, which released a patch in November 2023.
