google-site-verification: google30a059f9a075f398.html

Critical Oracle Micros POS Flaw Affects Over 300,000 Payment Systems

CyberWisdom Safe Harbor Commentary

I couldn’t believe this story from thehackernews.com that features the truth on Oracle has released a security patch update to address critical remotely exploitable vulnerabilities affecting its hospitality industry MICROS point-of-sale (POS) business solution.
The fix has been released as part of the January 2018 update to Oracle and 238 vulnerabilities have been fixed in its various products.

According to the public disclosure of ERPScan, a security company that discovered and disclosed to the company, Oracle’s MICROS EGateway application service is deployed by more than 300,000 small retailers and businesses around the world and is vulnerable to directory traversal attacks.
If exploited, the vulnerability (CVE-2018-2636) could allow attackers to read sensitive data and receive information about various services from vulnerable MICROS workstations without requiring any authentication.
Using directory traversal vulnerabilities, unauthorized insiders have access to vulnerable applications, reading sensitive files from MICROS workstations, including service logs and configuration files.
As the researchers explained, two such sensitive files stored in the application memory (SimphonyInstall.xml or Dbconfix.xml) contain the username and encrypted password connected to the database.

The researchers warned: “Therefore, an attacker could crawl the database username and password hash, tamper with it and use all business data to gain full access to the database in a variety of ways, resulting in compromise of the entire MICROS system.
“If you think visiting the POS URL is a good choice, keep in mind that hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network, which makes them easy to spot POS systems, Remember this fact when you enter the store. ”
ERPScan also released a proof-of-concept Python-based exploit which, if executed on a vulnerable MICROS server, sends a malicious request to get the contents of a sensitive file.
In addition, Oracle’s January 2018 Patch Update also provides fixes for Specter and Meltdown Intel processor vulnerabilities affecting some Oracle products.

Oracle has released a security patch update to address a critical remotely exploitable vulnerability that affects its MICROS point-of-sale (POS) business solutions for the hospitality industry. The fix has been released as part of Oracle’s January 2018 update that patches a total of 238 security vulnerabilities in its various products. According to public disclosure by… Engaging post, Read More…

thumbnail courtesy of thehackernews.com

Oracle MICROS POS Vulnerability Puts 300,000 Systems at Risk

https://threatpost.com/oracle-micros-pos-vulnerability-puts-300000-systems-at-risk/129736/Oracle has issued a fix, but many Micros systems could still be vulnerable…. Oracle MICROS POS Vulnerability Puts 300,000 Systems at Risk

 

 

 

 

Security Bug Affected 300,000 Oracle Point of Sale Systems Puts the Critical Business Data at Risk

https://gbhackers.com/oracle-pos-systems/Oracle POS Systems widely used in food and beverage solutions affected by a Security Bug that allows attackers to gain full access to the business data. Security researchers from ERPScan detected directory traversal vulnerability (CVE-2018-2636) in Oracle MICROS EGateway Application Service. Oracle issued a security patch for the vulnerability starting January 2018. The Flaw allows… Security Bug Affected 300,000 Oracle Point of Sale Systems Puts the Critical Business Data at Risk

 

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries.