Vulnerability Management

Oracle patches POS vulnerability affecting 300,000 systems

Oracle recently patched a Micros point-of-sale vulnerability which could have allowed an attacker to read any file and receive information about various services without authentication from a vulnerable MICROS workstation.

The bug was discovered in September 2017 by ERPScan security researcher Dmitry Chastuhin and was patched in a January 2018 update. Vulnerability (CVE-2018-2636) put 300,000 systems at risk and was rated at an 8.1 CVSS v3 score signifying the bug is dangerous and should be immediately patched, according to a Jan. 30 blog post.

“CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service,” the post said. “In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.”

There are several ways an attacker can exploit the system but ultimately the vulnerability allows them to steal database usernames and password hashes, use them in brute force attacks, and gain full access to the database with all the business data.

Researchers said the vulnerability is “difficult to exploit” but in the event of a compromise it would allow an attacker to access the applications over HTTP without the need for authentication and could ultimately result in a takeover

To prevent an attack, researchers recommend users implement all security patches provided by their vendor.

““We've seen retailers consistently struggling with point-of-sale vulnerabilities, and this latest report shows how prominent it is as a third-party attack vector,” CyberGRX Chief Executive Officer Fred Kneip said. “Retailers not only need a real-time feed of threats emanating from vendors to mitigate malicious access to their networks, they need to measure and monitor how other third parties like franchisees and divisions are managing this type of risk.”

Kneip added that While all partners must be regularly reviewed and monitored, the level and depth of assessment of tier one partners like MICROS is critical, from core systems and APIs to peripheral areas of exposure such as support portals

Related

GAO: Most Biden cybersecurity EO requirements achieved

Forty-nine of 55 requirements under the Biden administration's executive order aimed at bolstering federal IT systems' cybersecurity defenses were noted by the Government Accountability Office to have already been fulfilled by the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget, and the National Institute of Standards and Technology, reports FedScoop.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.