The STM Cyber R&D team has recently made a significant discovery regarding the Android-based point-of-sale (PoS) terminals produced by PAX Technoogy. This Chinese company, known for its global distribution of payment terminals and PoS hardware and software, is facing a security challenge due to a set of critical vulnerabilities in their PoS devices, which operate on the PayDroid system.

According to the STM Cyber report, the PAX PoS terminals are vulnerable to a series of exploits that can be used by threat actors to execute arbitrary code or commands on the devices. The severity of these vulnerabilities lies in the fact that an attacker with root access can manipulate any application, including the payment process. Although the PoS terminals have implemented sandboxing to prevent application interaction, the STM Cyber team emphasizes that root access could potentially compromise the payment process by modifying transaction amounts and related data.

The STM Cyber report provides detailed information about six vulnerabilities, shedding light on their potential impact and how they can be exploited:

1. CVE-2023-4818: This vulnerability allows an attacker to downgrade the bootloader of PAX A920 devices, potentially exposing them to earlier, vulnerable versions.

2. CVE-2023-42134: Exploiting this flaw enables an attacker to inject kernel arguments and execute arbitrary code with root privileges on any PAX PoS device.

3. CVE-2023-42135: Similar to the previous vulnerability, this flaw allows an attacker to inject kernel arguments, leading to code execution by flashing a different unsigned partition. This vulnerability affects PAX A920Pro/A50 devices.

4. CVE-2023-42136: Attackers with shell access to a device can leverage this vulnerability to inject shell commands, bypassing checks and gaining ‘system’ privileges.

5. CVE-2023-42137: Another flaw that can be exploited with shell access, this vulnerability allows attackers to overwrite arbitrary files and potentially elevate privileges to system or root.

6. CVE-2023-42133: Due to security concerns, specific information regarding this vulnerability is being withheld.

Exploitation and Mitigation

It is important to note that three of the vulnerabilities mentioned in this report require physical USB access to the device, which highlights the potential severity of an attacker who has such access. PAX has released patches to address all identified vulnerabilities, as reported by STM Cyber. The responsible disclosure took place in May 2023, and patches were subsequently released to address the findings.

Safeguarding Your Systems

For businesses that rely on PAX PoS terminals, it is crucial to promptly apply the latest patches released by PAX in November 2023. It is also recommended to closely monitor official communications from PAX for any updates regarding CVE-2023-42133. To minimize the risk of exploitation, it is important to tightly control physical access to PoS devices, particularly USB ports.

By implementing these remediation steps and remaining vigilant against emerging threats, businesses can enhance the security of their payment systems and safeguard both customer transactions and sensitive data.