Oracle fixed 237 vulnerabilities earlier this month but researchers this week are warning one of the bugs, a vulnerability in MICROS, its line of point-of-sale systems, could have a lingering impact.
The issue (CVE-2018-2636) could allow an attacker to read files and retrieve information from various services on a MICROS workstation without authentication.
Dmitry Chastuhin, a researcher with ERPScan, a firm that specializes in Oracle and SAP security, warned Tuesday that logs and files on MICROS workstations like SimphonyInstall.xml or Dbconfix.xml could theoretically contain usernames and encrypted passwords. With that in mind, Chastuhin cautions that an attacker could use that information - potentially brute force the passwords - to procure access to a business-data rich database. From there, it's only a short hop, skip, and a jump to a complete MICROS compromise.
Oracle bought the technology from Micros Systems in June 2014. At that point the system was used in roughly 330,000 cash registers worldwide. Oracle went on to incorporate it into its Hospitality suite of solutions in October 2016.
The issue, a directory traversal vulnerability, technically exists in Oracle MICROS EGateway Application Service.
While the vulnerability was addressed with January’s Critical Patch Update – as is the case with many point of sale system vulnerabilities - it’s unclear exactly when the fixes will make their way to stores with MICROS systems in place. Despite landing in the sights of hackers over the last few years, POS systems are patched infrequently, largely out of fear of downtime and instability.
ERPScan notes that according to Shodan, a search engine that lets users find computers connected to the internet, there are 170 or so systems vulnerable to CVE-2018-2636 online, as of this week.
If that doesn't drive home the concept that the vulnerability is worth paying attention to, perhaps the fact the researcher wrote a proof of concept for the vulnerability and published it to GitHub, will.
While serious, the vulnerability pales in comparison to a breach the MICROS division experienced in 2016. Oracle was forced a mass password reset for anyone using MICROS' online support portal that summer after attackers managed to capture usernames and passwords of users as they logged in.
Oracle never went on record about the breach but according to cybersecurity reporter Brian Krebs – citing sources close to the investigation – the Carbanak Gang, a Russian cybercrime group believed at one point to be behind a $1B bank heist, was responsible.