Oracle MICROS POS Vulnerability Affects 300,000 Systems
POS (Point-of-Sale) systems are always among the favorite targets of hackers; POS terminals always provide them the chance to lay their hands on all kinds of data- credit card data, other customer data, bank data etc. Hence cyber criminals are always on the lookout for POS vulnerabilities.
There have been some reports recently about a vulnerability in Oracle’s MICROS POS system software, which could have helped attackers in gaining full access to systems and networks. The vulnerability, which was discovered in September 2017, was patched in January 2018. The vulnerability was initially discovered by a security researcher Dmitry Chastuhin, who is a member of the research team at ERPScan.
In a recent blog post, ERPScan discusses the vulnerability in detail; the blog post says- “Our aim as specialists of business applications security as well as critical systems that are prone to fraud is to identify vulnerabilities before hackers exploit them. In September 2017, a security researcher Dmitry Chastuhin (aka @_chipik) from our security team found an Oracle MICROS POS vulnerability (CVE-2018-2636). It was fixed in its CPU January 2018.”
The vulnerability (CVE-2018-2636), as per the ERPScan blog post, has a CVSS v3.0 base score of 8.1 and is hence dangerous. The blog post says- “According to the Oracle CPU, CVE-2018-2636 acquired 8.1 CVSS v3 score. It means that the security issue is dangerous and must be patched primarily or an attacker will be able to read any file and receive information about various services without authentication from a vulnerable MICROS workstation.”
The vulnerability helps attackers get away with all kinds of valuable data. The ERPScan blog post says- “CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc…So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.”
A Threatpost blog discussing the vulnerability says- “Specifically, it targets the Simphony POS software suite, which provides both back-office and customer-facing applications that run on fixed and mobile devices. It is widely used in the restaurant and hotel industries. Affected versions include 2.7, 2.8 and the most recent version 2.9, released in October 2016.” The blog post also refers to ERPScan using a Shodan search to detect exposes systems- “Using a Shodan search, ERPScan found 170 Micros POS systems exposed on the internet. That’s a tiny fraction of the total MICROS system landscape, as the systems are deployed at more than 330,000 sites worldwide.”
The ERPScan blog post says- “…hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember this fact when you pop into a store.”
There’s no news on whether any MICROS systems have been breached by the vulnerability, but it’s reported that the vulnerability is still present in many of them.
To secure systems from cyber attacks that exploit such vulnerabilities, it’s advisable that users have to persistently implement all security patches provided by their vendors.