Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

By John Leyden

Posted in Security, 31st January 2018 11:58 GMT

A vulnerability has been unearthed in Oracle MICROS point-of-sale (POS) terminals that allowed hackers to read sensitive data from devices.

The flaw (CVE-2018-2636) was fixed in Oracle's January 2018 patch batch, allowing business app security firm ERPScan to go public with its findings. Left unresolved, the bug would enable an attacker to read any file and receive information about various services from a vulnerable MICROS workstation without authentication, ERPScan warned.

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

Oracle's MICROS technology is used by more than 330,000 cash registers worldwide, including 200,000-plus food and beverage outlets and more than 30,000 hotels in 180 countries. At least 170 MICROS sales terminals are exposed to the internet, ERPScan reported.

Oracle declined to comment on ERPScan's research.

MICROS security has been in the spotlight before. In 2016 hackers attacked the system through its customer support portal. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

Oracle launches its very own 'net threat map

Pew! Pew! The whole world is connected, and the Internet is super-dangerous

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

Terix boss thrown in the cooler for TWO years for peddling pirated Oracle firmware, code patches

Big Red all smiles after black-market support biz bosses jailed

Platinum partner had 'affair' with my wife – then Oracle screwed me, ex-sales boss claims

Regional director takes giant to court in discrimination row

Oracle tells tales about Google data slurps to Australian regulator

At an inquiry into news and ads, of all things. Is Big Red playing a deeper game?

Oracle whips out the swatter, squishes 254 security bugs in its gear

Java fixes lobbed out, Spectre Solaris patches issued

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

Oracle pledges annual Solaris updates for you to install each summer

And a plan to have users of Sun hardware upgrade if they want Solaris 11.4 and proper patches

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!