Positive Technologies has discovered three vulnerabilities in mobile Point-of-Sale (POS) terminals from PAX Technology.
PAX Technology is ranked third in the POS terminal market in 2019, according to The Nilson Report. PAX Technology has patched the vulnerabilities that affected PAX S920 and PAX D210 — devices used to accept payments in restaurants, hotels, and by transportation companies around the world. Hackers could have exploited the cyber security gap to commit fraud.
Attackers could use the vulnerability in PAX S920 (CVE-2020-28892 with a CVSS v3.1 score of 2.5) in a chain of other vulnerabilities as its final link. The error was related to a stack buffer overflow in the pedd service, Positive Technologies report said.
Positive Technologies researcher Artem Ivachev said the cyber error could lead to privilege escalation and access to the keystore and protected memory of the device. If code execution by an arbitrary system user was possible, the error allowed running the code with superuser (root) privileges.
Another vulnerability found in PAX S920 (CVE-2020-28891 — Signature Verification Bypass) has a CVSS v3.1 score of 3.9. If attackers had the ability to upload and run executable files, they could exploit this vulnerability to bypass the integrity check when running dynamically linked executable files.
The third vulnerability (CVE-2020-29044 with a CVSS v3.1 score of 6.2) was discovered in PAX D210. If attackers had physical access to the device, they could execute code via USB with operating system kernel privileges. They could also extract all the secret information from the terminal and upload a rootkit into the OS kernel.
The chains of these and some other vulnerabilities made it possible to intercept user card data (Track 2, PIN) and send arbitrary data to the processing of the acquiring bank (for this, attackers would need encryption keys that could be extracted from the terminal).
In 2020, Positive Technologies experts helped to patch vulnerabilities in Verifone’s POS terminals and in Ingenico’s Telium 2.