CVE-2023-42136 – This vulnerability allows shell injection in PA... (How to Fix)

Q: What is the severity of CVE-2023-42136?

CVE-2023-42136 has a CVSS score of 7.8 (HIGH). This vulnerability allows shell injection in PAX Android-based POS devices, enabling attackers with shell access to execute arbitrary commands with system privileges. It affects PAX POS devices running PayDroid 8.1.0 Sagittarius V11.1.50 or earlier versions.

📋 TL;DR

This vulnerability allows shell injection in PAX Android-based POS devices, enabling attackers with shell access to execute arbitrary commands with system privileges. It affects PAX POS devices running PayDroid 8.1.0 Sagittarius V11.1.50 or earlier versions.

💻 Affected Systems

Products:

PAX Android-based POS devices

Versions: PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 and earlier

Operating Systems: Android-based PayDroid

Default Config Vulnerable: ⚠️ Yes

Notes: Requires shell access to exploit; affects specific PAX POS models running vulnerable PayDroid firmware.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of POS device allowing installation of malware, data theft, payment fraud, and lateral movement to other systems.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to payment data, device manipulation, or installation of skimming software.

🟢

If Mitigated

Limited impact if shell access is properly restricted and devices are isolated from sensitive networks.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires shell access; injection occurs with specific trigger words.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after PayDroid_8.1.0_Sagittarius_V11.1.50_20230614

Vendor Advisory: https://ppn.paxengine.com/release/development

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from PAX portal. 3. Apply update via device management interface. 4. Reboot device. 5. Verify update success.

🔧 Temporary Workarounds

Restrict shell access

android

Disable or heavily restrict shell access to POS devices

# Configure device management to disable shell access
# Use ADB or device policies to restrict shell

Network segmentation

all

Isolate POS devices from other network segments

# Configure firewall rules to restrict POS device communication
# Implement VLAN segmentation for POS network

🧯 If You Can't Patch

Implement strict access controls to prevent shell access to devices
Monitor device logs for shell injection attempts and unusual command execution

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in settings; if PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.incremental

Verify Fix Applied:

Verify firmware version is newer than PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 and test shell injection attempts fail.

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands execution
Commands containing specific trigger words
Privilege escalation attempts

Network Indicators:

Unexpected outbound connections from POS devices
Communication with unknown IPs

SIEM Query:

source="pos-device" AND (command="*specific_word*" OR process="shell" AND user="system")

📊 Metadata

CVE ID: CVE-2023-42136

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: January 15, 2024

Last Updated: November 21, 2024

🔗 References

https://blog.stmcyber.com/pax-pos-cves-2023/ Exploit,Third Party Advisory
https://cert.pl/en/posts/2024/01/CVE-2023-4818/ Third Party Advisory
https://cert.pl/posts/2024/01/CVE-2023-4818/ Third Party Advisory
https://ppn.paxengine.com/release/development Permissions Required
https://blog.stmcyber.com/pax-pos-cves-2023/ Exploit,Third Party Advisory
https://cert.pl/en/posts/2024/01/CVE-2023-4818/ Third Party Advisory
https://cert.pl/posts/2024/01/CVE-2023-4818/ Third Party Advisory
https://ppn.paxengine.com/release/development Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42136, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Paydroid by Paxtechnology

Paydroid by Paxtechnology

Paydroid by Paxtechnology

Paydroid by Paxtechnology

Paydroid by Paxtechnology

Paydroid by Paxtechnology

Paydroid by Paxtechnology

Paydroid by Paxtechnology

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict shell access

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities