Oracle has released a security patch update to address a critical remotely exploitable vulnerability of which affects its MICROS point-of-sale (POS) business solutions for the hospitality industry.
The fix has been released as part of Oracle’s January 2018 update of which patches a total of 238 security vulnerabilities in its various products.
According to public disclosure by ERPScan, the security firm which discovered in addition to also reported This specific issue to the company, Oracle’s MICROS EGateway Application Service, deployed by over 300,000 modest retailers in addition to also business worldwide, is usually vulnerable to directory traversal attack.
If exploited, the vulnerability (CVE-2018-2636) could allow attackers to read sensitive data in addition to also receive information about various services via vulnerable MICROS workstations without any authentication.
Using directory traversal flaw, an unauthorized insider with access to the vulnerable application could read sensitive files via the MICROS workstation, including service logs in addition to also configuration files.
As explained by the researchers, two such sensitive files stored within the application storage—SimphonyInstall.xml or Dbconfix.xml—contain usernames in addition to also encrypted passwords for connecting to the database.
“So, the attacker can snatch DB usernames in addition to also password hashes, brute them in addition to also gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise,” the researchers warned.
“If you believe of which gaining access to POS URL is usually a snap, bear in mind of which hackers can find digital scales or additional devices of which use RJ45, connect of which to Raspberry PI, in addition to also scan the internal network. of which is usually where they easily discover a POS system. Remember This specific fact when you pop into a store.”
ERPScan has also released a proof-of-concept Python-based exploit, which, if executed on a vulnerable MICROS server, could send a malicious request to get the content of sensitive files in response.
Besides This specific, Oracle’s January 2018 patch update also provides fixes for Spectre in addition to also Meltdown Intel processor vulnerabilities affecting certain Oracle products.