ERPScan identified critical vulnerabilities in SAP’s POS allowing hackers to change prices
Palo Alto, CA – 24 August, 2017 – Today at the Hack in the Box – Singapore conference ERPScan researchers Dmitry Chastuhin and Vladimir Egorov delivered their talk covering vulnerabilities they identified in point of sale systems developed by SAP and Oracle. The most critical of them affects SAP POS solution allowing attackers not only to compromise customers’ data but gain unfettered control over the POS server.
SAP POS, a client-server point-of-sale system, is a part of the SAP for Retail solution portfolio, which serves 80% of the retailers in the Forbes Global 2000.
As ERPScan’s research revealed, the SAP POS system’s server (Xpress server) suffers from numerous missing authorization checks. Unlike other POS vulnerabilities, the identified security drawbacks allowed attackers not only to spy and steal credit card numbers. If successfully exploited, the vulnerabilities provide an attacker with access to every legitimate function of the system, such as changing prices or remotely start and stop terminals.
To illustrate the idea of attack vectors, ERPScan made a video of a proof-of-concept attack. The video demonstrates that using Raspberry Pi, a tool which costs only $25, a hacker can access the network where the POS terminal is located and install a malware designed to set a significant discount.
The vulnerabilities were reported to the vendor back in April 2017. SAP released the first patch in July according to its release schedule. Nonetheless, ERPScan researchers examined the fix and found out that newly implemented authorization check could be bypassed by using another vulnerability. ERPScan works tightly with SAP and notified the software maker about the failed patch on August, 15. Taking into account the criticality of the issues, SAP issued a patch in less than a week, on August, 18.
Besides, the researchers examined other POS solutions, for example, MICROS from Oracle.
“Broadly speaking, it’s not a problem of SAP. Many POS systems have similar architecture and thus same vulnerabilities. POS terminals used to be plagued with vulnerabilities as myriads of them were found and, unfortunately, exploited, so their security posture has improved significantly. On the other hand, banks must adhere to different compliance standards. So, the connections between POS workstation and the store server turn out to be the weakest link. They lack the basics of cybersecurity – authorization procedures and encryption, and nobody cares about it. So, once an attacker is in the Network, he or she gains full control of the system.”
– commented Dmitry Chastuhin, one of the researchers who identified the vulnerabilities.
Details of the identified vulnerability can be found by the link.
ERPScan is the most credible Business Application Cybersecurity provider. The company operates globally and enables large Oil and Gas, Financial, Retail, and other organizations to secure their mission-critical processes. Named an ‘Emerging Vendor’ in Security by CRN and distinguished by 40+ other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities.
ERPScan’s primary mission is to close the gap between technical and business security and provide solutions for CISOs to evaluate and secure SAP and Oracle ERP systems. Our clients are large enterprises, Fortune 2000 companies and managed service providers.