ERPScan researchers published the details of a new vulnerability recently fixed by Oracle. The vulnerability affects its MICROS POS terminals and allows an attacker to read sensitive data from devices.
Oracle’s MICROS has more than 330,000 cash registers worldwide. They are 200,000+ food and beverage outlets and more than 30,000 hotels across 180 countries. Despite the fact that Oracle released patches not so long ago, unfortunately, not every vendor dared install them. Being business-critical and always busy, systems cannot be updated immediately.
This is not the first time when MICROS security is touched. In 2016, there was an incident where hackers attacked MICROS through the Customer Support Portal.
Now, ERPScan Research team discovered a severe vulnerability in the company’s payment terminals. The security issue enables reading files from POS systems remotely without authentication and allows accessing a configuration file that stores sensitive information including passwords. What counts here is that a number of MICROS POS systems are exposed to the Internet.
“POS systems directly process and transmit our payment orders, so it’s self-evident that they are extremely important and valuable. We use them on the daily and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense.” – said Alexander Polyakov, CTO of ERPScan.
The identified vulnerability acquired 8.1 CVSS v3 score. Technically, it is a directory traversal vulnerability. Hackers can read any file by sending a packet to a particular web service of a POS terminal.
The security issue allows full access to OS that will be subject to such risks as espionage, sabotage or fraud. Cybercriminals can exploit the system in different ways depending on their needs; for example, pilfer credit card numbers.
The post Oracle POS flaw affecting over 300,000 POS systems worldwide appeared first on Payments Cards & Mobile.