Oracle Micros POS station

Hackers have a new security flaw in their arsenal they can exploit to install POS malware on Oracle Micros point-of-sale systems.

Oracle issued updates for this issue earlier this month, but it will take months until the patch lands on affected POS systems.

The reason is that POS systems are business critical systems, and sysadmins rarely schedule maintenance and update operations, fearing that an unstable patch might cause further downtime and financial losses to their companies.

Flaw lets attackers install malware on vulnerable systems

The flaw is nothing to ignore, according to Dmitry Chastuhin, the ERPScan security researcher who discovered the issue (tracked as CVE-2018-2636).

Chastuhin says the vulnerability allows an attacker to collect configuration files from Micros POS systems. The retrieved data can then be used to grant attackers full and legitimate access to the POS system and attached services (database, server).

In the most common scenario, an attacker would most likely install POS malware to collect payment card details, but an attacker could also install other types of malware for corporate espionage and proxy endpoints for future attacks, or more.

Flaw can be exploited remotely or from the local network

The flaw can be exploited remotely via carefully crafted HTTP requests. A Shodan search shows that around 170 poor souls have misconfigured their POS systems, which are now available online and could be exploited if they have not been updated with Oracle's patches.

Oracle says that over 300,000 companies have chosen to deploy Micros POS systems to handle credit/debit card payments. This means that most systems are not exploitable via the Internet.

But these systems are also vulnerable. Hackers can compromise other systems on the store's internal network, and use them as relay points for the attack code.

In addition, an attacker can always visit the store, identify an open networking port, distract the store staff, and infect the POS system by connecting a small Raspberry Pi board that runs the malicious exploit code.

Patches for this flaw were made available in Oracle's Critical Patch Update (CPU) for January 2018. Oracle bought MICROS Systems, Inc. in 2014 for $5.3 billion. Currently, Oracle is the third-largest provider of PoS software on the market. The company suffered a security breach of its Micros network in 2016.

Related Articles:

CISA urges software devs to weed out SQL injection vulnerabilities

UK bakery Greggs is latest victim of recent POS system outages

GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code

Ivanti fixes critical Standalone Sentry bug reported by NATO

Here's why Twitter sends you to a different site than what you clicked