CVE-2023-4818

Name

Bootloader downgrade via improper tokenization

CVSS score

7.3 (High)

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Product name

POS terminal PAX A920

Confirmed exploitable versions

PayDroid 7.1.2_Aquarius_11.1.50_20230614 or lower

Researcher

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

Blog posts

https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-4818

Description

In PAX A920, during boot, by switching to fastboot mode and flashing a partition named aboot:, it’s possible to downgrade the bootloader to a previously vulnerable, signed version (version check is skipped).
The attacker must have physical USB access to the device in order to exploit this vulnerability.

Proof-of-concept

The vulnerability writeup with a PoC can be found on the blog post:
https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-4818

Timeline

07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
08-05-2023 - second attempt of contact with vendor (successful)
10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
09-10-2023 - further contact with PAX to fix found vulnerabilities
30-11-2023 - STM Cyber verifies patches
15-01-2024 - public release

References

https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4818