PAX S-series POS terminals

2021: Addressing three vulnerabilities

PAX Technology eliminated three vulnerabilities in the PAX S920 and PAX D210 mobile POS terminals discovered by Positive Technologies expert Artem Ivachev. This was reported by PT on September 10, 2021. These devices are used to accept payments in restaurants, hotels, transport and other areas around the world.

The vulnerability of CVE-2020-28892 (with a rating of 2.5 on the CVSS 3.1 scale) in PAX S920 could be applied by attackers in a chain of other vulnerabilities as a final point, "said Artem Ivachev. - The error was due to stack buffer overflow in pedd service. It helped raise privileges and access the device's key store and secure memory. If it was possible to execute code from an arbitrary user in the system, it allowed you to run code with superuser rights (root).

The second vulnerability in PAX S920 (CVE-2020-28891 with a rating of 3.9 on the CVSS 3.1 scale) is a type of signature verification bypass. It could help the attacker if he had the ability to download and run executable files. With this error, you could bypass the integrity check when running dynamically linked executables.

A third vulnerability was found in the PAX D210 POS terminal (CVE-2020-29044 with a rating of 6.2 on the CVSS 3.1 scale). Having physical access to the device, through USB it was possible to get the ability to execute code with the privileges of the operating system kernel. The error allowed you to extract all secret information from the terminal, as well as load a rootkit into the OS kernel.

Chains of these and some other vulnerabilities made it possible to intercept data cards users (Track 2, PIN), and also allowed you to send arbitrary data to the processor (bank for this you needed keys enciphering that could be extracted from the terminal), "explained Artem Ivachev.

PAX Technology has released software updates to address these vulnerabilities.