PALO ALTO, Calif., Jan. 31, 2018 /PRNewswire/ -- ERPScan researchers published the details of a new vulnerability recently fixed by Oracle. The vulnerability affects its MICROS Point-of-Sale terminals and allows an attacker to read sensitive data from devices.
Oracle's MICROS has more than 330,000 cash registers worldwide. They are 200,000+ food and beverage outlets and more than 30,000 hotels across 180 countries. Despite the fact that Oracle released patches not so long ago, unfortunately, not every vendor dared install them. Being business-critical and always busy, systems cannot be updated immediately.
This is not the first time when MICROS security is touched. In 2016, there was an incident where hackers attacked MICROS through the Customer Support Portal.
Now, ERPScan Research team discovered a severe vulnerability in the company's payment terminals. The security issue enables reading files from POS systems remotely without authentication and allows accessing a configuration file that stores sensitive information including passwords. What counts here is that a number of MICROS POS systems are exposed to the Internet.
"POS systems directly process and transmit our payment orders, so it's self-evident that they are extremely important and valuable. We use them on the daily and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense." - said Alexander Polyakov, CTO of ERPScan.
The identified vulnerability acquired 8.1 CVSS v3 score. Technically, it is a directory traversal vulnerability. Hackers can read any file by sending a packet to a particular web service of a POS terminal.
The security issue allows full access to OS that will be subject to such risks as espionage, sabotage or fraud. Cybercriminals can exploit the system in different ways depending on their needs; for example, pilfer credit card numbers.
Other technical details are available in ERPScan's blog post.
ERPScan is the most respected and credible Business Application Cybersecurity provider. Founded in 2010, the Company operates globally and enables global Fortune 2,000 to secure their mission-critical processes.
ERPScan's primary objective is to provide Smart solutions to assess ERP systems and business-critical applications as well as to protect them from both cyber-attacks and internal fraud. ERPScan is the only ERP Security vendor featured in Gartner MQs, Hype Cycles, and MarketScopes for Application Security and SoD. The Company is named as an 'Emerging Vendor' in Security by CRN, listed among "TOP 100 SAP Solution providers", and distinguished by 40+ awards.