Oracle POS flaw affecting over 300,000 payment systems worldwide

Palo Alto, CA – January 30, 2018ERPScan researchers published the details of a new vulnerability recently patched by Oracle. The vulnerability affects its MICROS Point-of-Sale terminals and allows an attacker to read sensitive data from devices.

Oracle’s MICROS has more than 330,000 cash registers worldwide. Including 200,000+ food and beverage outlets and more than 30,000 hotels across 180 countries.

Despite the fact that Oracle released a patch that closed the vulnerability not so long ago, unfortunately, not every vendor dared install it. Being business-critical and always busy, the systems cannot be updated immediately.

This is not the first time when MICROS security is touched. In 2016, there was an incident where hackers attacked MICROS through the Customer Support Portal.

Now, ERPScan Research team discovered a severe vulnerability in the Company’s payment terminals. The security issue enables reading files from POS systems remotely without authentication and allows accessing the configuration file that stores sensitive information including passwords. What counts here is that a number of MICROS POS systems are exposed to the Internet.

POS systems directly process and transmit our payment orders, so it’s self-evident that they are extremely important and valuable. We use them on the daily and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense.

Alexander Polyakov, CTO of ERPScan

The identified vulnerability acquired 8.1 CVSS v3 score. Technically, it is a directory traversal vulnerability. Hackers can read any file by sending a packet to a particular web service of a POS terminal.

The security issue allows full access to OS that will be subject to such risks as espionage, sabotage or fraud. Cybercriminals may exploit the system in different ways depending on their needs; for example, pilfer credit card numbers.

More details are available in ERPScan blog post.