Security

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

By John Leyden

3 SHARE

A vulnerability has been unearthed in Oracle MICROS point-of-sale (POS) terminals that allowed hackers to read sensitive data from devices.

The flaw (CVE-2018-2636) was fixed in Oracle's January 2018 patch batch, allowing business app security firm ERPScan to go public with its findings. Left unresolved, the bug would enable an attacker to read any file and receive information about various services from a vulnerable MICROS workstation without authentication, ERPScan warned.

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

Oracle's MICROS technology is used by more than 330,000 cash registers worldwide, including 200,000-plus food and beverage outlets and more than 30,000 hotels in 180 countries. At least 170 MICROS sales terminals are exposed to the internet, ERPScan reported.

Oracle declined to comment on ERPScan's research.

MICROS security has been in the spotlight before. In 2016 hackers attacked the system through its customer support portal. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

New Zealand health boards write down losses on Oracle implementation

End-of-year reports show impairment costs running into millions

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

What now, Larry? AWS boss insists Amazon will have dumped Oracle database by end of 2019

re:Invent Clock's ticking on Ellison's smack talk

Oracle snaffles up a chunk of SD-WAN market with Talari Networks buyout

As shareholders sign off on Big Red's big pay packet for first time in seven years

Detroit sh*t shifter's operating costs waste away with Oracle's cloud

Sewerage department pinches off big brown puff for Big Red

Firefighters choke on Oracle's alleged smoke-and-mirrors cloud

Pension fund cries fraud over database giant's boasts about its off-prem biz performance

Haha, good times: Larry Ellison regales noobs about when Oracle staff almost didn't get paid

CTO reveals all in cosy chat with startup founders

Is someone chopping onions? Oracle cloud boss bids colleagues emotional farewell

Thomas Kurian to take 'extended leave' from Big Red