Point-of-sale systems are rich targets for attackers, given their status as a gateway to credit card information, customer and back-office data and other goodies.
A recently patched vulnerability in Oracle’s MICROS POS system software can lead to attackers gaining full access to the systems, say researchers.
The vulnerability (CVE-2018-2636) has a CVSS v3.0 base score of 8.1. Specifically, it targets the Simphony POS software suite, which provides both back-office and customer-facing applications that run on fixed and mobile devices. It is widely used in the restaurant and hotel industries. Affected versions include 2.7, 2.8 and the most recent version 2.9, released in October 2016.
The vulnerability is “difficult to exploit” but allows an attacker to compromise the applications over HTTP without the need for authentication, Oracle said in documentation for the recent patch update. Successful attacks “can result in takeover” of a Simphony system, it added.
In a blog post, ERPScan provided more detail, saying that an attacker could take advantage of a directory traversal vulnerability in MICROS EGateway Application Service.
“In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.,” the company said. “So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data.”
Using a Shodan search, ERPScan found 170 Micros POS systems exposed on the internet. That’s a tiny fraction of the total MICROS system landscape, as the systems are deployed at more than 330,000 sites worldwide.
But hackers could also make an in-store visit, find a public device–such as a digital scale for weighing produce or other goods–that uses an RJ45 ethernet jack to connect to the store’s network, plug it into a Raspberry Pi and scan the internal network that way, ERPscan said. “That is where they [can] easily discover a POS system,” the researchers wrote. “Remember this fact when you pop into a store.”
There’s no word on whether any MICROS systems have been breached by the recently patched vulnerability, but it is likely still present in many of them. ERPScan has released a script on Github that MICROS sysadmins can use to check if their environments are vulnerable.
Should a successful breach occur, it will not be the first time for MICROS . In August 2016, Oracle reported that it had discovered malicious code on “some legacy MICROS systems” and told all customers to reset their passwords.
The attackers managed to place malware on a MICROS support server, which was then able to snatch customers usernames and passwords, Krebs on Security reported at the time. They were apparently associated with the Carbanak gang, which is part of a Russia-based cybercrime group suspected of stealing $1 billion from banks.
More recently, fashion retailer Forever 21 confirmed that hackers had managed to install malware on a number of its POS terminals, allowing them to steal customer credit card data. The malware was present on some of Forever 21’s systems for nearly eight months during 2017, the company said.
POS attacks may mount further going forward, simply because a fast-growing attack surface will give cybercriminals more opportunities to exploit systems.
For example, the retail and hospitality world is increasingly rolling self-service kiosks in response to customer expectations as well as the bottom line. McDonald’s began installing self-service ordering at all 14,000 U.S. locations beginning in 2016, and the move has been credited with helping it shore up previously flagging sales.
“Point-of-sale terminals are elements that an average person deals with regularly in everyday life,” ERPScan said, adding, “It makes this sphere especially important and encourages paying extra attention and taking necessary security measures.”