A number of high-severity vulnerabilities affect PAX Technology’s point-of-sale (PoS) (PAX POS) terminals, which might be used as a weapon by hostile actors to run any code.

The STM Cyber R&D team claimed to have discovered six vulnerabilities that permit privilege escalation and local code execution from the bootloader after reverse engineering the Android-based devices made by the Chinese company due to their quick deployment in Poland.

Currently, information regarding one of the vulnerabilities (CVE-2023-42133) is being kept secret. Below is a list of the remaining defects:

  • CVSS score: 7.6 for CVE-2023-42134 & CVE-2023-42135 – Kernel parameter injection in fastboot causes local code execution as root, impacting PAX A920Pro and PAX A50
  • CVE-2023-42136 (with an 8.8 CVSS score) – Shell injection binder-exposed service that allows privilege escalation from any user or application to the system user (Impacts All Android-based PAX PoS devices)
  • CVE-2023-42137 (with an 8.8 CVSS score) – Insecure operations in the systool_server daemon allow for the escalation of privilege from a system or shell user to root (Impacts All Android-based PAX PoS devices)
  • CVE-2023-4818, with a 7.3 CVSS score – Incorrect tokenization leading to bootloader downgrading (affects PAX A920)

By effectively circumventing sandboxing defenses and elevating privileges to root, an attacker could acquire unrestricted access to execute any command if the previously described vulnerabilities are successfully exploited.

Aiming to “modify data the merchant application sends to the [Secure Processor], which includes transaction amount,” security researchers Adam Kliś and Hubert Jasudowicz described this as tampering with the payment processes.

It is noteworthy that in order to exploit CVE-2023-42136 and CVE-2023-42137, an attacker must have shell access to the device; in contrast, the remaining three require physical USB connection to the device from the threat actor.

The penetration testing organization located in Warsaw stated that it duly notified PAX Technology of the vulnerabilities in early May 2023. Subsequently, the latter delivered updates in November 2023.