Lucene search

CERT-PLCVELIST:CVE-2023-42134

HistoryJan 15, 2024 - 1:28 p.m.

CVE-2023-42134

2024-01-1513:28:53

CWE-912

CERT-PL

www.cve.org

pos

android

vulnerability

older version

local code execution

physical access

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

21.0%

JSON

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command.

The attacker must have physical USB access to the device in order to exploit this vulnerability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Android"
    ],
    "product": "POS terminals",
    "vendor": "PAX Technology",
    "versions": [
      {
        "lessThanOrEqual": "11.1.45_20230314",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

blog.stmcyber.com/pax-pos-cves-2023/

cert.pl/en/posts/2024/01/CVE-2023-4818/

cert.pl/posts/2024/01/CVE-2023-4818/

ppn.paxengine.com/release/development

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

21.0%

JSON

Related for CVELIST:CVE-2023-42134