Oracle has released a security patch update to address a critical remotely exploitable vulnerability that will affects its MICROS point-of-sale (POS) business solutions for the hospitality industry.
The fix has been released as part of Oracle’s January 2018 update that will patches a total of 238 security vulnerabilities in its various products.
According to public disclosure by ERPScan, the security firm which discovered as well as also also reported This specific issue to the company, Oracle’s MICROS EGateway Application Service, deployed by over 300,000 smaller retailers as well as also also business worldwide, can be vulnerable to directory traversal attack.
If exploited, the vulnerability (CVE-2018-2636) could allow attackers to read sensitive data as well as also also receive information about various services through vulnerable MICROS workstations without any authentication.
Using directory traversal flaw, an unauthorized insider with access to the vulnerable application could read sensitive files through the MICROS workstation, including service logs as well as also also configuration files.
As explained by the researchers, two such sensitive files stored within the application storage—SimphonyInstall.xml or Dbconfix.xml—contain usernames as well as also also encrypted passwords for connecting to the database.
“So, the attacker can snatch DB usernames as well as also also password hashes, brute them as well as also also gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise,” the researchers warned.
“If you believe that will gaining access to POS URL can be a snap, bear in mind that will hackers can find digital scales or various other devices that will use RJ45, connect This specific to Raspberry PI, as well as also also scan the internal network. that will can be where they easily discover a POS system. Remember This specific fact when you pop into a store.”
ERPScan has also released a proof-of-concept Python-based exploit, which, if executed on a vulnerable MICROS server, could send a malicious request to get the content of sensitive files in response.
Besides This specific, Oracle’s January 2018 patch update also provides fixes for Spectre as well as also also Meltdown Intel processor vulnerabilities affecting certain Oracle products.