CVE-2019-14717 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2019-14717?

CVE-2019-14717 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code on Verifone VerixV Pinpad Payment Terminals by exploiting a buffer overflow in the Run system call. It affects payment terminals running Verifone Verix OS with specific firmware. Successful exploitation could compromise payment processing systems and sensitive financial data.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code on Verifone VerixV Pinpad Payment Terminals by exploiting a buffer overflow in the Run system call. It affects payment terminals running Verifone Verix OS with specific firmware. Successful exploitation could compromise payment processing systems and sensitive financial data.

💻 Affected Systems

Products:

Verifone VerixV Pinpad Payment Terminal

Versions: Verix OS with QT000530 firmware

Operating Systems: Verifone Verix OS

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects terminals with QT000530 firmware version. These are physical payment terminals used at point-of-sale locations.

📦 What is this software?

Verix Os by Verifone

View all CVEs affecting Verix Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install persistent malware, intercept payment card data, manipulate transactions, and potentially compromise connected payment networks.

🟠

Likely Case

Terminal compromise leading to payment card data theft (card skimming), transaction manipulation, or denial of service affecting payment processing.

🟢

If Mitigated

Limited impact if terminals are properly segmented, monitored, and have restricted system call access, though buffer overflow could still cause crashes.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Buffer overflow via system call suggests local or network-accessible exploitation. Payment terminals are attractive targets for financial crime groups.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after QT000530

Vendor Advisory: https://www.verifone.com/en/us/support/security-updates

Restart Required: Yes

Instructions:

1. Contact Verifone support for latest firmware. 2. Backup terminal configuration. 3. Apply firmware update via secure method. 4. Verify update completion. 5. Restart terminal.

🔧 Temporary Workarounds

Restrict System Call Access

all

Limit access to Run system call through OS configuration if supported

Configuration varies by Verix OS version - consult Verifone documentation

Network Segmentation

all

Isolate payment terminals from general network access

Implement firewall rules to restrict terminal communication to payment processors only

🧯 If You Can't Patch

Physically secure terminals to prevent unauthorized access
Implement strict monitoring for abnormal terminal behavior or network traffic

🔍 How to Verify

Check if Vulnerable:

Check terminal firmware version via admin menu: Settings > System Information > Firmware Version

Check Version:

Terminal-specific: Access admin menu and navigate to firmware information

Verify Fix Applied:

Verify firmware version is newer than QT000530 and test Run system call functionality

📡 Detection & Monitoring

Log Indicators:

Multiple failed Run system call attempts
Unexpected process execution
System crash/restart logs

Network Indicators:

Unusual outbound connections from terminals
Traffic to non-payment processor endpoints

SIEM Query:

source="payment_terminal" AND (event="system_call_failure" OR event="unexpected_process")

📊 Metadata

CVE ID: CVE-2019-14717

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: October 23, 2020

Last Updated: November 21, 2024

🔗 References

https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-26/ Third Party Advisory
https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-26/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14717, you might also want to check these: