sb-nz logo
Story image

Oracle MICROS POS vulnerability may compromise 330,000 POS systems

02 Feb 2018

A vulnerability in Oracle’s MICROS POS systems may affect more than 330,000 payment systems across the globe, putting files and sensitive information at risk.

Security firm ERPScan found the vulnerability, CVE-2018-2636, in Oracle’s MICROS point-of-sale terminals. They are commonly used in hospitality and hotels in 180 countries.

While the vulnerability was reportedly fixed, the company is quick to stress that users must patch their systems regularly.

“The security issue enables reading files from POS systems remotely without authentication and allows accessing a configuration file that stores sensitive information including passwords. What counts here is that a number of MICROS POS systems are exposed to the Internet,” a statement from ERPScan says.

“The attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.”

The vulnerability achieved an 8.1 CVSS v3 score, which means it is dangerous. It must be patched otherwise an attacker can read any file without authentication from a vulnerable MICROS workstation.

The vulnerability also allows attackers full access to the operating system. The system could then be compromised due to espionage, sabotage or fraud, depending on what the attackers are after – credit card numbers are a common target.

 "POS systems directly process and transmit our payment orders, so it's self-evident that they are extremely important and valuable. We use them on the daily and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense," explains ERPScan CTO Alexander Polyakov.

It is not the first time Oracle POS systems have been hacked. In 2016, Oracle MICROS support portal was hacked and attackers potentially gained access to sales terminals worldwide.

Oracle has not publicly commented on the findings, however it did fix the vulnerability as part of its Critical Patch Update in January. Despite the patch availability, many unpatched MICROS POS systems will still be at risk.

“If you want to secure your system from cyberattacks, you have to persistently implement all security patches provided by your vendor,” ERPScan says.

“However, this news definitely should not be seen as the light at the end of the tunnel as there might be other vulnerabilities in POS systems that must be disclosed.”

Link image
Metrics make the e-commerce world go round
E-commerce technology leaders need to track, analyse, and act on large volumes of business and system performance data. Here is a framework for powerful e-commerce metrics.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
Acronis announces new security endpoint solution
The solution is an integration of data protection and cybersecurity which provides customers with effective endpoint protection in a landscape where the pointlessness of perimeter security is becoming more pronounced.More
Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More