[SingCERT] Advisory on Critical Security Bug in Oracle's MICROS POS System
02 February 2018
On 30 January 2018, security researchers from ERPScan disclosed a critical security flaw (CVE-2018-2636) in Oracle's MICROS Point-of-Sale (POS) system. As a provider of POS system, Oracle’s MICROS software is used in more than 330,000 cash registers globally, including food and beverage outlets and hotels.
CVE-2018-2636 is a security flaw that allows attackers to read sensitive data such as usernames and password hashes from configuration files in the POS terminals. Using the retrieved data, attackers can perform a brute-force attack to gain full and legitimate access to the POS server's database containing vendors' business data, which can include their customers’ credit card details. Attackers can also use the stolen usernames and passwords for corporate espionage and proxy endpoints for future cyber-attacks.