Oracle Micros POS is a hospitality management platform providing enterprise point-of-sale (POS) and back-office functionality to support a wide range of food and beverage operations. Oracle’s MICROS has more than 330,000 cash registers worldwide and currently, Oracle is the third-largest provider of PoS software on the market.
Oracle in January 2018 as part of their quarterly patching schedule released a patch for critical remotely exploitable vulnerability that affects thousands of MICROS point-of-sale (POS) business solutions worldwide. The flaw has been identified with CVE-2018-2636 and is classified as having CVSS base score of 8.1 for its severity. The flaw allows anyone with access to the device to conduct a directory traversal attack. If exploited, the flaw will allow any unauthenticated user to gain access to sensitive data and receive information about various services from vulnerable MICROS workstations. Attackers can read service logs and configuration files on the vulnerable devices. Attackers can get hold of customer names, email addresses, user’s date of birth, phone numbers, total sales, debit and credit cards, and information about different promotions and discounts. In addition attackers can alter these details as well.
Oracle Micros POS devices store usernames and encrypted passwords for connecting to the database in SimphonyInstall.xml or Dbconfix.xml files. Using directory traversal attack, an attacker can gain access to these files and thus get information including DB usernames and password hashes which can then be used to grant attackers full and legitimate access to the POS system. Upon gaining access, an attacker can potentially do anything with the POS system like installing a malware to collect payment card details. A POC is also available which tries to get contents of sensitive files from the device.
The flaw can be exploited remotely or from the local network. A number of misconfigured POS systems are available online and could be exploited if they have not been updated with Oracle’s latest patches. Many POS systems may be properly configured and not reachable over the internet, but these systems are also vulnerable. Attackers can compromise other systems on the store’s internal network, and use them as control points for the attack code. An attacker can always visit the store, find digital scales or any other device that use RJ45, connect it to Raspberry PI, scan the internal network and run the malicious exploit code.
Although Oracle has issued updates for this issue earlier in January 2018, but it will take months until the affected devices are patched as the POS systems are business critical systems and system administrators rarely schedule update operations fearing downtime and financial losses to their companies in case of an unstable patch. Moreover being business-critical and always busy, POS systems cannot be updated immediately.
Below is an example showing response of a malicious request to read micros db i.e. usernames and hashes, the vulnerable MICROS server sends back a special response with the details intended.
Affected versions of Oracle Micros Point-Of-Sale Systems:
All the currently supported versions 2.7, 2.8 and 2.9 are affected.
Apply the latest patch released by the Oracle earlier in January 2018 patch update. In addition to this this, Oracle’s January 2018 patch update also includes fixes for Spectre and Meltdown Intel processor vulnerabilities affecting certain Oracle products.