Critical Oracle Micros Pos Flaw Affects Over 300,000 Payment Systems

Oracle has released a safety spell update to address a critical remotely exploitable vulnerability that affects its MICROS point-of-sale (POS) describe of piece of occupation organisation solutions for the hospitality industry.

The ready has been released every bit business office of Oracle's January 2018 update that patches a amount of 238 safety vulnerabilities inward its diverse products.

According to populace disclosure past times ERPScan, the safety theatre which discovered as well as reported this lawsuit to the company, Oracle's MICROS EGateway Application Service, deployed past times over 300,000 modest retailers as well as describe of piece of occupation organisation worldwide, is vulnerable to directory traversal attack.

If exploited, the vulnerability (CVE-2018-2636) could let attackers to read sensitive information as well as have information virtually diverse services from vulnerable MICROS workstations without whatever authentication.

Using directory traversal flaw, an unauthorized insider amongst access to the vulnerable application could read sensitive files from the MICROS workstation, including service logs as well as configuration files.

As explained past times the researchers, 2 such sensitive files stored within the application storage—SimphonyInstall.xml or Dbconfix.xml—contain usernames as well as encrypted passwords for connecting to the database.

"So, the assaulter tin snatch DB usernames as well as password hashes, animate beingness them as well as gain amount access to the DB amongst all describe of piece of occupation organisation data. There are several ways of its exploitation, leading to the whole MICROS organisation compromise," the researchers warned. 

"If you lot believe that gaining access to POS URL is a snap, deport inward heed that hackers tin uncovering digital scales or other devices that role RJ45, connect it to Raspberry PI, as well as scan the internal network. That is where they easily uncovering a POS system. Remember this fact when you lot popular into a store."

ERPScan has every bit good released a proof-of-concept Python-based exploit, which, if executed on a vulnerable MICROS server, would mail a malicious asking to expire the content of sensitive files inward response.

Besides this, Oracle's Jan 2018 spell update every bit good provides fixes for Spectre as well as Meltdown Intel processor vulnerabilities affecting for certain Oracle products.

Share This :