Oracle recently patched a Micros point-of-sale vulnerability which could have allowed an attacker to read any file and receive information about various services without authentication from a vulnerable MICROS workstation.
The bug was discovered in September 2017 by ERPScan security researcher Dmitry Chastuhin and was patched in a January 2018 update. Vulnerability (CVE-2018-2636) put 300,000 systems at risk and was rated at an 8.1 CVSS v3 score signifying the bug is dangerous and should be immediately patched, according to a 30 January blog post.
“CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service,” the post said. “In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.”
There are several ways an attacker can exploit the system but ultimately the vulnerability allows them to steal database usernames and password hashes, use them in brute force attacks, and gain full access to the database with all the business data.
Researchers said the vulnerability is “difficult to exploit” but in the event of a compromise it would allow an attacker to access the applications over HTTP without the need for authentication and could ultimately result in a takeover.
To prevent an attack, researchers recommend users implement all security patches provided by their vendor.
“We've seen retailers consistently struggling with point-of-sale vulnerabilities, and this latest report shows how prominent it is as a third-party attack vector,” CyberGRX Chief Executive Officer Fred Kneip said. “Retailers not only need a real-time feed of threats emanating from vendors to mitigate malicious access to their networks, they need to measure and monitor how other third parties like franchisees and divisions are managing this type of risk.”
Kneip added that while all partners must be regularly reviewed and monitored, the level and depth of assessment of tier one partners like MICROS is critical, from core systems and APIs to peripheral areas of exposure such as support portals.