In a recent discovery by the STM Cyber R&D team, a series of high-severity vulnerabilities were identified in point-of-sale (PoS) terminals manufactured by PAX Technology. The Chinese firm’s Android-based devices, widely deployed in Poland, were subjected to reverse engineering to uncover a collection of six flaws, allowing threat actors to execute arbitrary code. This technical blog delves into the details of these vulnerabilities, shedding light on the potential risks and the impact on the security of PAX PoS devices.

Details of Vulnerabilities:

• CVE-2023-42133: Details withheld for security reasons.
• CVE-2023-42134 & CVE-2023-42135 (CVSS score: 7.6): Local code execution as root via kernel parameter injection in fastboot (Impacts PAX A920Pro/PAX A50).
• CVE-2023-42136 (CVSS score: 8.8): Privilege escalation from any user/application to system user via shell injection binder-exposed service (Impacts All Android-based PAX PoS devices).
• CVE-2023-42137 (CVSS score: 8.8): Privilege escalation from system/shell user to root via insecure operations in systool_server daemon (Impacts All Android-based PAX PoS devices).
• CVE-2023-4818 (CVSS score: 7.3): Bootloader downgrade via improper tokenization (Impacts PAX A920).

Exploitation Scenarios:

Successful exploitation of these vulnerabilities can lead to root privileges, enabling threat actors to bypass sand boxing protections. This opens avenues for attackers to interfere with payment operations, including modifying data sent to the Secure Processor, which encompasses transaction amounts.

Specifically:

• CVE-2023-42136 and CVE-2023-42137 require shell access to the device.
• The remaining three vulnerabilities necessitate physical USB access to the device.

Disclosure and Patching:

The Warsaw-based penetration testing company responsibly disclosed the vulnerabilities to PAX Technology in May 2023. Subsequently, patches were developed and released by PAX in November 2023 to address these security flaws.

Remediation Steps:

• Ensure that the latest patches released by PAX Technology in November 2023 are applied to all affected PoS terminals.
• Keep a close eye on official communications from PAX Technology for updates regarding CVE-2023-42133 and apply any recommended measures promptly.
• Minimize the risk of exploitation by controlling and limiting physical access to PAX PoS devices, especially USB ports.
• Implement measures to strengthen shell security, reducing the risk associated with CVE-2023-42136, which requires shell access.
• Conduct a thorough review of access controls and permissions, ensuring that only authorized users have the necessary privileges.
• Establish robust log monitoring mechanisms to promptly detect and respond to any suspicious activities indicative of privilege escalation (CVE-2023-42136 and CVE-2023-42137).