PAX Technology’s point-of-sale (PoS) terminals are affected by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code.
The STM Cyber R&D team, which reverse engineered the Android-based devices manufactured by the Chinese firm owing to their rapid deployment in Poland, said it unearthed half a dozen flaws that allow for privilege escalation and local code execution from the bootloader.
Details about one of the vulnerabilities (CVE-2023-42133) are withheld for the time being. Other flaws are listed below –
- CVE-2023-42134 & CVE-2023-42135 (CVSS score: 7.6) – Local code execution as root via kernel parameter injection in fastboot (Impacts PAX A920Pro/PAX A50)
- CVE-2023-42136 (CVSS score: 8.8) – Privilege escalation from any user/application to system user via shell injection binder-exposed service (Impacts All Android-based PAX PoS devices)
- CVE-2023-42137 (CVSS score: 8.8) – Privilege escalation from system/shell user to root via insecure operations in systool_server daemon (Impacts All Android-based PAX PoS devices)
- CVE-2023-4818 (CVSS score: 7.3) – Bootloader downgrade via improper tokenization (Impacts PAX A920)
Successful exploitation of the above vulnerabilities could allow an attacker to escalate their privileges to root and bypass sandboxing protections, effectively gaining carte blanche access to perform any operation.
This involves “interfering with payment operations to modify the data sent by the merchant application to [the secure processor], including the transaction amount,” said security researchers Adam Klis and Hubert Jasudowicz.
It’s worth mentioning that exploiting CVE-2023-42136 and CVE-2023-42137 requires an attacker to have shell access to the device, while the remaining three necessitate that the threat actor has physical USB access to it.
The Warsaw-based penetration testing company said it responsibly disclosed PAX technology flaws in early May 2023, with patches released in November 2023.
