January 17, 2024 at 09:57AM
PAX Technology’s PoS terminals have high-severity vulnerabilities that could allow threat actors to execute arbitrary code. The STM Cyber R&D team discovered six flaws, including privilege escalation and local code execution, impacting various PAX devices. The vulnerabilities were responsibly disclosed to PAX, and patches were released in November 2023.
Key takeaways from the meeting notes are:
– PAX Technology’s point-of-sale (PoS) terminals are affected by a series of high-severity vulnerabilities that can be exploited to execute arbitrary code.
– The vulnerabilities were unearthed by the STM Cyber R&D team, which reverse engineered the Android-based devices manufactured by the Chinese firm due to their rapid deployment in Poland.
– The identified vulnerabilities, including CVE-2023-42133, have varied impacts such as local code execution, privilege escalation, and bootloader downgrade.
– Successful exploitation of these vulnerabilities could grant an attacker root access and the ability to interfere with payment operations.
– Physical USB access is required to exploit some of the vulnerabilities.
It’s also notable that responsible disclosure of the vulnerabilities was done to PAX Technology in May 2023, and patches were subsequently released in November 2023.