[SingCERT] Advisory on Critical Security Bug in Oracle's MICROS POS System

Published on Friday, 02 February 2018 20:24

Background

 

On 30 January 2018, security researchers from ERPScan disclosed a critical security flaw (CVE-2018-2636) in Oracle's MICROS Point-of-Sale (POS) system. As a provider of POS system, Oracle’s MICROS software is used in more than 330,000 cash registers globally, including food and beverage outlets and hotels.

 

CVE-2018-2636 is a security flaw that allows attackers to read sensitive data such as usernames and password hashes from configuration files in the POS terminals. Using the retrieved data, attackers can perform a brute-force attack to gain full and legitimate access to the POS server's database containing vendors' business data, which can include their customers’ credit card details. Attackers can also use the stolen usernames and passwords for corporate espionage and proxy endpoints for future cyber-attacks.

 

Affected Software

 

Oracle Hospitality Simphony 2.7, 2.8, 2.9

 

Impact

 

Once the POS terminal is compromised, attackers will be able to obtain sensitive data such as customers' credit card details and companies' business information to perform malicious activities.

 

Recommendations

 

Vendors who are using Oracle’s MICROS POS system are strongly advised to perform the security patch update on all POS terminals.

 

References

 

https://erpscan.com/press-center/blog/oracle-micros-pos-breached/

 

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixHOSP

 

https://www.bleepingcomputer.com/news/security/security-bug-affects-over-300-000-oracle-pos-systems/