Oracle released a security patch update to resolve a critical vulnerability that affects its MICROS point-of-sale (POS) business solutions for the hospitality industry.
The fix has been released as part of Oracle’s January 2018 update that patches a total of 238 security vulnerabilities in its various products. Also, VirtualBox was patched via this annual update.
According to public exposure by ERPScan, the security company that identified and reported this issue to the Oracle, more than 300,000 small retailers and business worldwide are vulnerable to directory traversal attack.
When this vulnerability is rightly exploited (CVE-2018-2636), it could allow attackers to read sensitive data and receive valuable information about several services from vulnerable MICROS workstations without any authentication. Using directory traversal flaw, an unauthorized insider with access to the vulnerable application could read sensitive files from the workstation, including service logs and configuration files.
As explained by the researchers, two such sensitive files stored within the application storage SimphonyInstall.xml or Dbconfix.xml, contain usernames and encrypted passwords for connecting to the database.
“So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise”.
“If you believe that gaining access to POS URL is a snap, bear in mind that hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember this fact when you pop into a store.”
ERPScan has released an exploit as PoCon GitHub, which executed on a vulnerable MICROS server would send a malicious request to get the content of sensitive files.
In this way, Oracle’s January 2018 patch update also provides fixes for Spectre and Meltdown Intel processor vulnerabilities affecting certain Oracle products.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.