Oracle’s Micros point-of-sale (POS) systems have found to have a critical vulnerability, which could be exploited to compromise and download a company’s complete business data. Micros customers are said to include a range of major retail chains, in addition to large worldwide hotels. ERPScan security researcher Dmitry Chastuhin who discovered the bug said it allows a hacker to gain unauthenticated read and write access to the POS server’s database.
In a blog post earlier this week, ERPScan said that access to a vulnerable device can allow an attacker to read local files and get hold of usernames and passwords to then have access to the entire database. This frequently includes customer names, contact information, and debit and credit cards. The flaw was classified by Oracle as an 8.1 out of 10 for its severity. ERPScan explained, “It means that the security issue is dangerous and must be patched primarily or an attacker will be able to read any file and receive information about various services without authentication from a vulnerable MICROS workstation.”
The bug is only exploitable by those with access to a vulnerable Micros POS device, for example, an employee. Many devices and machines in stores are ethernet-connected, which can allow a hacker to scan the entire network for vulnerable devices. Oracle said the complexity of the attack was “high”.
The flaw was fixed in Oracle’s CPU January 2018 as part of its quarterly patching schedule. In its post, Oracle said, it “continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes”. The company urged users to “apply Critical Patch Update fixes without delay”.
Oracle’s post led ERPscan to publish proof-of-concept code on GitHub.
Oracl Micros POS devices were also breached in 2016. In that instance, the attackers installed malware on the troubleshooting portal for MICROS payment terminals division, allowing it to capture customers’ usernames and passwords as they logged in. Gaining the log-in information allowed them to access customers’ accounts and remotely administer Oracle’s Micros POS terminals.
ERPScan issued advice, “If you want to secure your system from cyberattacks, you have to persistently implement all security patches provided by your vendor. In our case, refer to Oracle CPU January 2018.”
Point of sale terminals have frequently been under attack – if hackers can find their way in, they are greeted with the personal information, orders and credit card details of that company’s entire database of customers. Last year, Forever21 admitted that many of its POS terminals had been targeted, with malware installed on some of its pay terminals for over six months, putting thousands of customers at risk of credit card fraud in part because encryption had been turned off on some of its POS devices.