Security

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

By John Leyden

3 SHARE

A vulnerability has been unearthed in Oracle MICROS point-of-sale (POS) terminals that allowed hackers to read sensitive data from devices.

The flaw (CVE-2018-2636) was fixed in Oracle's January 2018 patch batch, allowing business app security firm ERPScan to go public with its findings. Left unresolved, the bug would enable an attacker to read any file and receive information about various services from a vulnerable MICROS workstation without authentication, ERPScan warned.

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

Oracle's MICROS technology is used by more than 330,000 cash registers worldwide, including 200,000-plus food and beverage outlets and more than 30,000 hotels in 180 countries. At least 170 MICROS sales terminals are exposed to the internet, ERPScan reported.

Oracle declined to comment on ERPScan's research.

MICROS security has been in the spotlight before. In 2016 hackers attacked the system through its customer support portal. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

Detroit sh*t shifter's operating costs waste away with Oracle's cloud

Sewerage department pinches off big brown puff for Big Red

Firefighters choke on Oracle's alleged smoke-and-mirrors cloud

Pension fund cries fraud over database giant's boasts about its off-prem biz performance

Is someone chopping onions? Oracle cloud boss bids colleagues emotional farewell

Thomas Kurian to take 'extended leave' from Big Red

No do-overs! Appeals court won’t hear $8.8bn Oracle v Google rehash

Only thing left now is a Supreme Court bid in row over Android and Java copyright

Oracle puts release of new freebie mini-database on ice to work out kinks

Issues 'too severe' to launch this summer

Oracle tells students: You're not going to solve the world's problems – but AI and ML might

Big Red's free educational curriculum gets 2018 reboot

Oracle cuts ribbon on distributed ledger service

Big Red brags bank backing for blockchain biz