Command Execution Vulnerability in PAX Android Based POS Devices
CVE-2023-42137

7.8HIGH

Key Information:

Vendor

Pax Technology

Status
Pos Terminals
Vendor
CVE Published:
15 January 2024

What is CVE-2023-42137?

A critical security concern has been identified in PAX Android based Point of Sale (POS) devices, specifically those running the software version PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier. Attackers with shell access to the device can exploit this vulnerability to execute commands with high privileges. This flaw arises from improper handling of symlinks, potentially allowing malicious actors to manipulate system processes and access sensitive data. Organizations utilizing these devices are urged to review their security practices and apply appropriate mitigations to protect against unauthorized access.

Affected Version(s)

POS terminals Android 0 <= 11.1.50_20230614

References

https://ppn.paxengine.com/release/development
vendor-advisory
https://blog.stmcyber.com/pax-pos-cves-2023/
technical-description
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
third-party-advisory

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hubert Jasudowicz, Adam KliĹ› and other members of STM Cyber R&D team
.
CVE-2023-42137 : Command Execution Vulnerability in PAX Android Based POS Devices