Positive Technologies researcher, Artem Ivachev discovered three vulnerabilities in mobile Point-of-Sale (POS) terminals from PAX Technology, a company that ranked third in the global POS terminal market in 2019, according to The Nilson Report. Now patched, the vulnerabilities affected PAX S920 and PAX D210 -- devices used to accept payments in restaurants, hotels, and by transportation companies around the world -- and could be exploited by cybercriminals to commit fraud.
Artem Ivachev says: "Attackers could use the vulnerability in PAX S920 (CVE-2020-28892 with a CVSS v3.1 score of 2.5) in a chain of other vulnerabilities as its final link. The error was related to a stack buffer overflow in the pedd service. It could lead to privilege escalation and access to the keystore and protected memory of the device. If code execution by an arbitrary system user was possible, the error allowed running the code with superuser (root) privileges."
Another vulnerability found in PAX S920 (CVE-2020-28891 — Signature Verification Bypass) has a CVSS v3.1 score of 3.9. If attackers had the ability to upload and run executable files, they could exploit this vulnerability to bypass the integrity check when running dynamically linked executable files.
The third vulnerability (CVE-2020-29044 with a CVSS v3.1 score of 6.2) was discovered in PAX D210. If attackers had physical access to the device, they could execute code via USB with operating system kernel privileges. They could also extract all the secret information from the terminal and upload a rootkit into the OS kernel.
Ivachev added: “The chains of these and some other vulnerabilities made it possible to intercept user card data (Track 2, PIN) and send arbitrary data to the processing of the acquiring bank (for this, attackers would need encryption keys that could be extracted from the terminal).”
PAX Technology has released software updates that remediate these vulnerabilities. To get and install the necessary software, contact the equipment manufacturer, your bank, or your service provider.