PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions

4 months ago AndyC

Jan 17, 2024NewsroomFinancial Data / Vulnerability

The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code.

PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions

Jan 17, 2024NewsroomFinancial Data / Vulnerability

PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions

The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code.

The STM Cyber R&D team, which reverse engineered the Android-based devices manufactured by the Chinese firm owing to their rapid deployment in Poland, said it unearthed half a dozen flaws that allow for privilege escalation and local code execution from the bootloader.

Cybersecurity

Details about one of the vulnerabilities (CVE-2023-42133) have been currently withheld. The other flaws are listed below –

  • CVE-2023-42134 & CVE-2023-42135 (CVSS score: 7.6) – Local code execution as root via kernel parameter injection in fastboot (Impacts PAX A920Pro/PAX A50)
  • CVE-2023-42136 (CVSS score: 8.8) – Privilege escalation from any user/application to system user via shell injection binder-exposed service (Impacts All Android-based PAX PoS devices)
  • CVE-2023-42137 (CVSS score: 8.8) – Privilege escalation from system/shell user to root via insecure operations in systool_server daemon (Impacts All Android-based PAX PoS devices)
  • CVE-2023-4818 (CVSS score: 7.3) – Bootloader downgrade via improper tokenization (Impacts PAX A920)

Successful exploitation of the aforementioned weaknesses could permit an attacker to elevate their privileges to root and bypass sandboxing protections, effectively gaining carte blanche access to perform any operation.

Cybersecurity

This includes interfering with the payment operations to “modify data the merchant application sends to the [Secure Processor], which includes transaction amount,” security researchers Adam Kliś and Hubert Jasudowicz said.

It’s worth mentioning that exploiting CVE-2023-42136 and CVE-2023-42137 requires an attacker to have shell access to the device, while the remaining three necessitate that the threat actor has physical USB access to it.

The Warsaw-based penetration testing company said it responsibly disclosed the flaws to PAX Technology in early May 2023, following which patches were released by the latter in November 2023.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

21 hours ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

1 day ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

1 day ago AndyC
Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

1 day ago AndyC
CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now

CISA Warns of Actively Exploited D-Link Router Vulnerabilities – Patch Now

1 day ago AndyC
New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

2 days ago AndyC

You may have missed

The who, where, and how of APT attacks – Week in security with Tony Anscombe

The who, where, and how of APT attacks – Week in security with Tony Anscombe

6 hours ago AndyC
Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

15 hours ago AndyC

Friday Squid Blogging: Emotional Support Squid

15 hours ago AndyC

How to Protect Yourself on Social Networks

21 hours ago AndyC
Nissan reveals ransomware attack exposed 53,000 workers' social security numbers

Nissan reveals ransomware attack exposed 53,000 workers’ social security numbers

21 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.