Code Execution Vulnerability in PAX Android POS Devices
CVE-2023-42134

6.8MEDIUM

Key Information:

Vendor

Pax Technology

Status
Pos Terminals
Vendor
CVE Published:
15 January 2024

What is CVE-2023-42134?

The vulnerability allows an attacker with physical USB access to PAX Android POS devices running PayDroid version 8.1.0 Sagittarius V11.1.45 or earlier to exploit a signed partition overwrite flaw. This exploitation can lead to unauthorized local code execution, posing significant risks to device integrity and sensitive transaction data.

Affected Version(s)

POS terminals Android 0 <= 11.1.45_20230314

References

https://ppn.paxengine.com/release/development
vendor-advisory
https://blog.stmcyber.com/pax-pos-cves-2023/
technical-description
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
third-party-advisory

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hubert Jasudowicz, Adam KliĹ› and other members of STM Cyber R&D team
.