Vulnerabilities fixed in PAX POS terminals could be exploited to commit fraud

Positive Technologies advises banks to install new firmware versions on POS terminals PAX S920 and PAX D210

PAX Technology has eliminated three vulnerabilities discovered by Positive Technologies expert Artem Ivachev in mobile POS terminals PAX S920 and PAX D210. These devices are used to accept payments in restaurants, hotels, and by transportation companies around the world. According to The Nilson Report's estimates, PAX Technology ranked third in the global POS terminal market in 2019.

 Artem Ivachev says:

"Attackers could use the vulnerability in PAX S920 (CVE-2020-28892 with a CVSS v3.1 score of 2.5) in a chain of other vulnerabilities as its final link. The error was related to a stack buffer overflow in the pedd service. 1 It could lead to privilege escalation and access to the keystore and protected memory of the device. If code execution by an arbitrary system user was possible, the error allowed running the code with superuser (root) privileges."

Another vulnerability found in PAX S920 (CVE-2020-28891 — Signature Verification Bypass) has a CVSS v3.1 score of 3.9. If attackers had the ability to upload and run executable files, they could exploit this vulnerability to bypass the integrity check when running dynamically linked executable files.

The third vulnerability (CVE-2020-29044 with a CVSS v3.1 score of 6.2) was discovered in PAX D210. If attackers had physical access to the device, they could execute code via USB with operating system kernel privileges. They could also extract all the secret information from the terminal and upload a rootkit into the OS kernel.

Ivachev explains:

"The chains of these and some other vulnerabilities made it possible to intercept user card data (Track 2, PIN) and send arbitrary data to the processing of the acquiring bank (for this, attackers would need encryption keys that could be extracted from the terminal)."

PAX Technology has released software updates that remediate these vulnerabilities. To get and install the necessary software, contact the equipment manufacturer, your bank, or your service provider.

In 2020, Positive Technologies experts helped to patch vulnerabilities in Verifone's POS terminals and in Ingenico's Telium 2.

  1. PIN entry device daemon (pedd) is a service for cryptographic operations with payment data in the system.