Over 300,000 Oracle Point-of-Sale Systems at Security Risk – MICROS POS Breached, Again


A new security flaw has been discovered affecting Oracle MICROS point-of-sale (POS) systems. The vulnerability allows attackers to collect configuration files from the affected POS systems, and use this data to gain full access to the POS system and attached services. This flaw is highly dangerous considering a lot of customer financial or personal data is linked with these systems.

Security researchers at ERPScan wrote that criminals have always tried to leverage vulnerabilities that could be used to target POS systems as they are "a hacker’s coveted choice." The exploit in question was discovered by security researcher Dmitry Chastuhin last year affecting Oracle MICROS POS systems. Tracked as CVE-2018-2636, the vulnerability has been given a rating of 8.1 out of 10, meaning it's highly severe.

Dined at Applebee’s Last Year? Your Credit Card Data Could Be at Risk as 167 Locations Hit with POS Malware

Using this flaw, attackers can gain unauthenticated read and write access to the POS server's database and read local files to obtain usernames and passwords to gain full access to the database.

CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.

So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.

Along with stealing data, attackers could also install POS malware to collect customer payment details or other types of malware for future attacks. While Oracle fixed the flaw earlier in January, it is unlikely if all the 330,000 affected POS systems will be updated promptly, as it takes month before businesses update their point-of-sale systems. ERPScan added:

Oracle's MICROS has more than 330,000 cash registers worldwide. They are 200,000+ food and beverage outlets and more than 30,000 hotels across 180 countries. Despite the fact that Oracle released patches not so long ago, unfortunately, not every vendor dared install them. Being business-critical and always busy, systems cannot be updated immediately.

Researchers advised that vendors need to persistently implement all security patches to ensure they aren't putting their customers' data at risk. Remember that Forever21 fiasco? You don't want to be at the center of a similar user outcry...

More details on the patch here