The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code.
The STM Cyber R&D team, which reverse engineered the Android-based devices manufactured by the Chinese firm owing to their rapid deployment in Poland, said it unearthed half a dozen flaws that allow for privilege escalation and local code execution from the bootloader.
Details about one of the vulnerabilities (CVE-2023-42133) have been currently withheld. The other flaws are listed below –
Successful exploitation of the aforementioned weaknesses could permit an attacker to elevate their privileges to root and bypass sandboxing protections, effectively gaining carte blanche access to perform any operation.
This includes interfering with the payment operations to “modify data the merchant application sends to the [Secure Processor], which includes transaction amount,” security researchers Adam Kliś and Hubert Jasudowicz said.
It’s worth mentioning that exploiting CVE-2023-42136 and CVE-2023-42137 requires an attacker to have shell access to the device, while the remaining three necessitate that the threat actor has physical USB access to it.
The Warsaw-based penetration testing company said it responsibly disclosed the flaws to PAX Technology in early May 2023, following which patches were released by the latter in November 2023.