Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

By John Leyden

Posted in Security, 31st January 2018 11:58 GMT

A vulnerability has been unearthed in Oracle MICROS point-of-sale (POS) terminals that allowed hackers to read sensitive data from devices.

The flaw (CVE-2018-2636) was fixed in Oracle's January 2018 patch batch, allowing business app security firm ERPScan to go public with its findings. Left unresolved, the bug would enable an attacker to read any file and receive information about various services from a vulnerable MICROS workstation without authentication, ERPScan warned.

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

Oracle's MICROS technology is used by more than 330,000 cash registers worldwide, including 200,000-plus food and beverage outlets and more than 30,000 hotels in 180 countries. At least 170 MICROS sales terminals are exposed to the internet, ERPScan reported.

Oracle declined to comment on ERPScan's research.

MICROS security has been in the spotlight before. In 2016 hackers attacked the system through its customer support portal. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

Oracle open-sources DTrace under the GPL

Which makes lots of sysadmins' fave tracing tool cool for Linux

Rimini Street attempts to claw back more cash in Oracle copyright dispute

Support biz files court petition to recover additional $32m

Oracle slurps bot-wrangling security minnow Zenedge

Buy price not revealed

10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Remote unauthenticated attack bug gets perfect CVSS score

This Valentine's day Oracle's given you 12 big red data centres

Flowering fleet will still trail Azure and AWS

US appeals court trims $50m off Oracle's take in Rimini Street law battle

Database giant happy as Larry that copyright infringement ruling allowed to stand, though

Oracle's Safra Catz joins Mickey Mouse board

It's a small world after all

Oracle: We've stuffed automation in 'pretty much' all our services

Firm in mega cloud tech push