The purpose-of-sale (PoS) terminals from PAX Know-how are impacted by a set of high-severity vulnerabilities that may be weaponized by menace actors to execute arbitrary code.
The STM Cyber R&D staff, which reverse engineered the Android-based gadgets manufactured by the Chinese language agency owing to their fast deployment in Poland, mentioned it unearthed half a dozen flaws that enable for privilege escalation and native code execution from the bootloader.
Particulars about one of many vulnerabilities (CVE-2023-42133) have been presently withheld. The opposite flaws are listed under –
- CVE-2023-42134 & CVE-2023-42135 (CVSS rating: 7.6) – Native code execution as root by way of kernel parameter injection in fastboot (Impacts PAX A920Pro/PAX A50)
- CVE-2023-42136 (CVSS rating: 8.8) – Privilege escalation from any person/utility to system person by way of shell injection binder-exposed service (Impacts All Android-based PAX PoS gadgets)
- CVE-2023-42137 (CVSS rating: 8.8) – Privilege escalation from system/shell person to root by way of insecure operations in systool_server daemon (Impacts All Android-based PAX PoS gadgets)
- CVE-2023-4818 (CVSS rating: 7.3) – Bootloader downgrade by way of improper tokenization (Impacts PAX A920)
Profitable exploitation of the aforementioned weaknesses might allow an attacker to raise their privileges to root and bypass sandboxing protections, successfully gaining carte blanche entry to carry out any operation.
This contains interfering with the cost operations to “modify knowledge the service provider utility sends to the [Secure Processor], which incorporates transaction quantity,” safety researchers Adam Kliś and Hubert Jasudowicz mentioned.
It is price mentioning that exploiting CVE-2023-42136 and CVE-2023-42137 requires an attacker to have shell entry to the machine, whereas the remaining three necessitate that the menace actor has bodily USB entry to it.
The Warsaw-based penetration testing firm mentioned it responsibly disclosed the issues to PAX Know-how in early Could 2023, following which patches had been launched by the latter in November 2023.
